{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33183", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T22:16:36.720Z", "datePublished": "2026-03-26T00:25:53.838Z", "dateUpdated": "2026-03-26T00:27:36.804Z"}, "containers": {"cna": {"title": "Saloon has a Fixture Name Path Traversal Vulnerability", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U", "version": "4.0"}}], "references": [{"name": "https://github.com/saloonphp/saloon/security/advisories/GHSA-f7xc-5852-fj99", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/saloonphp/saloon/security/advisories/GHSA-f7xc-5852-fj99"}, {"name": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4", "tags": ["x_refsource_MISC"], "url": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4"}], "affected": [{"vendor": "saloonphp", "product": "saloon", "versions": [{"version": "< 4.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-26T00:27:36.804Z"}, "descriptions": [{"lang": "en", "value": "Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \\, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write)."}], "source": {"advisory": "GHSA-f7xc-5852-fj99", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \\, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write)."}], "id": "CVE-2026-33183", "lastModified": "2026-03-26T01:16:27.210", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-26T01:16:27.210", "references": [{"source": "security-advisories@github.com", "url": "https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4"}, {"source": "security-advisories@github.com", "url": "https://github.com/saloonphp/saloon/security/advisories/GHSA-f7xc-5852-fj99"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.0.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "saloon", "source": "cna", "vendor": "saloonphp"}, "product": "saloon", "vendor": "saloonphp"}], "analysis": {"en": {"generated_at": "2026-03-26T03:12:40.264563+00:00", "value": {"mitigation_remediation": ["Upgrade to Saloon v4.0.0 or later to apply the built\u2011in path validation and directory confinement.", "If an upgrade cannot be performed immediately, validate all fixture names in the application layer, rejecting any that contain \"/\", \"\\\\\", \"..\", or null bytes to prevent traversal.", "Restrict the file system permissions of the process running Saloon to the minimum privileges required, reducing the potential impact of any remaining traversal attempts."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality and Integrity Compromise via Arbitrary File Access"}, "threat_synthesis": {"affected_systems": "All releases of the Saloon PHP library provided by saloonphp prior to version 4.0.0 are affected. The product was patched in release 4.0.0, which introduced strict validation for fixture names and a final check to ensure the resolved path remains within the base directory. Users of older versions must upgrade to at least 4.0.0 to eliminate the path traversal flaw.", "description_and_impact": "Saloon is a PHP library for building API integrations that, in versions before 4.0.0, allowed fixture names to be concatenated to the fixture directory path without validation. If an attacker supplied a fixture name containing characters such as \"/\", \"\\\\\", or the traversal string \"..\", the library would resolve a path outside the intended directory. This flaw permits the application to read any file the PHP process can access and to overwrite arbitrary files, exposing sensitive data and potentially corrupting critical system files. The vulnerability therefore directly impacts confidentiality and integrity of files on the host where the process runs.", "risk_and_exploitability": "The CVSS score of 8 indicates a high severity for this path traversal flaw. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, but the possibility to read or overwrite arbitrary files makes it a critical security concern. Exploitation is straightforward when the application accepts a fixture name from user input, request parameters, or configuration, allowing an attacker to supply a traversal name that causes the library to access files outside its intended directory."}}}}, "created": "2026-03-26T11:30:55.697581+00:00", "updated": "2026-03-26T12:08:57.547825+00:00", "vendors": ["saloonphp", "saloonphp$PRODUCT$saloon"]}