Vulnerability Description
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Saloon | Saloon | < 4.0.0 |
Related Weaknesses (CWE)
References
- https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4Release Notes
- https://github.com/saloonphp/saloon/security/advisories/GHSA-f7xc-5852-fj99Vendor Advisory
FAQ
What is CVE-2026-33183?
CVE-2026-33183 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without va...
How severe is CVE-2026-33183?
CVE-2026-33183 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33183?
Check the references section above for vendor advisories and patch information. Affected products include: Saloon Saloon.