php · slim/slimHeads-up

slim/slim 4.15.2 fixes XSS in HttpException::setTitle() and setDescription()

Cross-site scripting (XSS) vulnerability in HttpException::setTitle() and setDescription() when untrusted data is passed; fixed in 4.

24 Jun 2026Read 1 minSeverity: schedule it

What changed

Cross-site scripting (XSS) vulnerability in HttpException::setTitle() and setDescription() when untrusted data is passed; fixed in 4.15.2.

Who it affects

Applications that feed untrusted/request-derived data into HttpException::setTitle() and/or setDescription().

What to do today

Upgrade to version 4.15.2 or apply workarounds: avoid passing untrusted data to setTitle/setDescription, or register a custom error renderer that escapes output.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · slim/slim

slim/slim 4.15.2 fixes XSS in HttpException::setTitle() and setDescription()

What changed

Who it affects

What to do today

More on slim/slim

guzzlehttp/guzzle 7.12.2 released

guzzlehttp/guzzle 7.12.3 Released