CVE-2026-33183
published 2026-03-26CVE-2026-33183: Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under…
PriorityP356critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.57%
42.7th percentile
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| saloon | saloon | < 4.0.0 | 4.0.0 |
| saloonphp | saloon | < 4.0.0 | 4.0.0 |
| saloonphp | saloon | >= 0 < 4.0.0 | 4.0.0 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv4.08.0HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Saloon has a Fixture Name Path Traversal Vulnerability
ghsa·2026-03-25
CVE-2026-33183 [MEDIUM] CWE-125 Saloon has a Fixture Name Path Traversal Vulnerability
Saloon has a Fixture Name Path Traversal Vulnerability
### Impact
Users with MockResponse fixtures that use path traversal.
### Patches
Upgrade to Saloon v4+
Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4
### Description
Fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead
OSV
Saloon has a Fixture Name Path Traversal Vulnerability
osv·2026-03-25
CVE-2026-33183 [MEDIUM] Saloon has a Fixture Name Path Traversal Vulnerability
Saloon has a Fixture Name Path Traversal Vulnerability
### Impact
Users with MockResponse fixtures that use path traversal.
### Patches
Upgrade to Saloon v4+
Upgrade guide: https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4
### Description
Fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead
No detection rules found.
No public exploits indexed.
2026-03-26
Published