Description

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).

INFO

Published Date :

2026-03-26T00:25:53.838Z

Last Modified :

2026-03-26T18:21:32.435Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33183 vulnerability.

Vendors Products
Saloon
  • Saloon
Saloonphp
  • Saloon
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33183.

URL Resource
https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4 cve-icon cve-icon
https://github.com/saloonphp/saloon/security/advisories/GHSA-f7xc-5852-fj99 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact