Nixpkgs security tracker

Login with GitHub

Suggestions search

All statuses
Filter by:
With package: prettier-d-slim

Found 1 matching suggestions

View:
Compact
Detailed
Dismissed
(not in Nixpkgs)
Permalink CVE-2026-48157
6.1 MEDIUM
  • CVSS version (CVSS): 3.1
  • Attack Vector (AV): Network (N)
  • Attack Complexity (AC): Low (L)
  • Privileges Required (PR): None (N)
  • User Interaction (UI): Required (R)
  • Scope (S): Changed (C)
  • Confidentiality (C): Low (L)
  • Integrity (I): Low (L)
  • Availability (A): None (N)
  • Modified Attack Vector (MAV): Network (N)
  • Modified Attack Complexity (MAC): Low (L)
  • Modified Privileges Required (MPR): None (N)
  • Modified User Interaction (MUI): Required (R)
  • Modified Confidentiality (MC): Low (L)
  • Modified Scope (MS): Changed (C)
  • Modified Integrity (MI): Low (L)
  • Modified Availability (MA): None (N)
updated 1 week, 3 days ago by @LeSuisse Activity log
  • Created suggestion 1 week, 3 days ago
  • @LeSuisse dismissed (not in Nixpkgs) 1 week, 3 days ago
Slim has Reflected XSS in the HtmlErrorRenderer

Slim is a PHP micro framework that enables users to write simple web applications and APIs. In versions 4.4.0 through 4.15, if an application uses HttpException::setTitle() and/or setDescription() to include untrusted/request-derived data in the error title or description (e.g. "No products found matching '{$query}'."), an attacker could inject arbitrary HTML/JavaScript that executes in the victim's browser when they encounter an HTML error page generated by Slim. The vulnerability is present even with displayErrorDetails = false as the unescaped title and description are rendered on this error path. Built-in exceptions (HttpNotFoundException, HttpBadRequestException, etc.) ship plain-text defaults, so a vanilla Slim app with no user code is not exploitable. Only applications that feed untrusted data into setTitle() and/or setDescription() are affected. The issue has been fixed in 4.15.2. If developers are unable to immediately update their applications, they can work around this issue by avoiding passing untrusted/request-derived data into HttpException::setTitle() and setDescription() and using static, plain-text error copy instead. They should also register a custom error renderer (an ErrorRendererInterface implementation, or a subclass of HtmlErrorRenderer that escapes the title and description) for the HTML media type.

Affected products

Slim
  • ==>= 4.4.0, < 4.15.2

Matching in nixpkgs

pkgs.slimevr

App for facilitating full-body tracking in virtual reality

pkgs.slimserver

Lyrion Music Server (formerly Logitech Media Server) is open-source server software which controls a wide range of Squeezebox audio players

  • nixos-unstable 9.1.0
    • nixpkgs-unstable 9.1.0
    • nixos-unstable-small 9.1.0
  • nixos-26.05 -
    • nixos-26.05-small 9.1.0
    • nixpkgs-26.05-darwin 9.1.0

pkgs.messer-slim

Evolutionary simulation framework

  • nixos-unstable 5.1
    • nixpkgs-unstable 5.1
    • nixos-unstable-small 5.1
  • nixos-26.05 -
    • nixos-26.05-small 5.1
    • nixpkgs-26.05-darwin 5.1

pkgs.slimevr-server

App for facilitating full-body tracking in virtual reality

pkgs.awslimitchecker

Script and python package to check your AWS service limits and usage via boto3

pkgs.haskellPackages.http-slim

A library for client/server HTTP with TLS support

  • nixos-unstable 1.2
    • nixpkgs-unstable 1.2
    • nixos-unstable-small 1.2
  • nixos-26.05 -
    • nixos-26.05-small 1.2
    • nixpkgs-26.05-darwin 1.2

Package maintainers