CVE-2026-33183

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-33183

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33183.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-33183

Aliases

GHSA-f7xc-5852-fj99

Published

2026-03-26T00:25:53.838Z

Modified

2026-04-10T05:43:09.098653Z

Severity

8.0 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator

Summary

Saloon has a Fixture Name Path Traversal Vulnerability

Details

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33183.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22"
    ]
}

References

Affected packages

Git / github.com/saloonphp/saloon

Affected ranges

Type

GIT

Repo

https://github.com/saloonphp/saloon

Events

Introduced

Fixed

1307b1d72cacdd2c9c20978cdf7a0b720b4bf3bb

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.0.0"
        }
    ]
}

Affected versions

v0.*

v0.0.1

v0.0.2

v0.0.3

v0.0.4

v0.1.0

v0.10.0

v0.11.0

v0.2.0

v0.3.0

v0.3.1

v0.4.0

v0.4.1

v0.5.0

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.6.4

v0.6.5

v0.6.6

v0.7.0

v0.7.1

v0.7.2

v0.8.0

v0.8.1

v0.8.2

v0.8.3

v0.9.0

v0.9.1

v0.9.2

v1.*

v1.0

v1.0.1

v1.1.0

v1.2.0

v2.*

v2.0.0

v2.0.0-beta1

v2.0.0-beta2

v2.0.0-beta3

v2.0.0-beta4

v2.0.0-beta5

v2.0.0-beta6

v2.0.0-beta7

v2.0.1

v2.0.2

v2.1.0

v2.2.0

v2.3.0

v2.4.0

v2.5.0

v2.6.0

v2.6.1

v2.6.2

v2.6.3

v3.*

v3.0.0

v3.0.0-beta.1

v3.0.0-beta.2

v3.0.0-beta.3

v3.0.0-beta.4

v3.0.0-beta.5

v3.0.0-beta.6

v3.0.0-beta.7

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.1.0

v3.10.0

v3.10.1

v3.11.0

v3.11.1

v3.11.2

v3.12.0

v3.13.0

v3.13.1

v3.14.0

v3.14.1

v3.14.2

v3.14.3

v3.15.0

v3.2.0

v3.3.0

v3.3.1

v3.3.2

v3.4.0

v3.4.1

v3.4.2

v3.5.0

v3.6.0

v3.6.1

v3.6.2

v3.6.3

v3.6.4

v3.7.0

v3.8.0

v3.8.1

v3.9.0

v3.9.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33183.json"