CVE-2026-33183CRITICAL 9.1EPSS p42.5%

CVE-2026-33183CVE-2026-33183

Description

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.57% probability of exploitation · percentile 42.5% · 2026-06-19T12:03:05Z
Published2026-03-26
Last modified2026-03-30

Underlying weaknesses· 1

CWE-22

References

  1. https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4
  2. https://github.com/saloonphp/saloon/security/advisories/GHSA-f7xc-5852-fj99

1

TypeTargetConfidenceTier
WeaknessImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal')cwe-220%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33942
CVE
CVE-2026-11419
CVE
CVE-2026-22256
CVE
CVE-2025-41736
CVE
CVE-2025-65346
CVE
CVE-2026-31939
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.