CVE-2026-33942CRITICAL 9.8EPSS p45.1%

CVE-2026-33942CVE-2026-33942

Description

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes => true. An attacker who can control the serialized string (e.g. by overwriting a cached token file or via another injection) can supply a serialized "gadget" object. When unserialize() runs, PHP instantiates that object and runs its magic methods (__wakeup, __destruct, etc.), leading to object injection. In environments with common dependencies (e.g. Monolog), this can be chained to remote code execution (RCE). The fix in version 4.0.0 removes PHP serialization from the AccessTokenAuthenticator class requiring users to store and resolve the authenticator manually.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.62% probability of exploitation · percentile 45.1% · 2026-06-18T12:00:27Z
Published2026-03-26
Last modified2026-03-26

Underlying weaknesses· 1

CWE-502

References

  1. https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4
  2. https://github.com/saloonphp/saloon/security/advisories/GHSA-rf88-776r-rcq9

1

TypeTargetConfidenceTier
WeaknessDeserialization of Untrusted Datacwe-5020%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33183
CVE
CVE-2026-27206
CVE
CVE-2026-42471
CVE
CVE-2026-23542
CVE
CVE-2025-53242
CVE
CVE-2026-33993
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.