CVE-2026-33183

Name of the Vulnerable Software and Affected Versions Saloon versions prior to 4.0.0

Description Saloon is a PHP library used for building API integrations and SDKs. Prior to version 4.0.0, the library lacked validation when constructing file paths from fixture names. This allowed names containing path segments, such as ../traversal or ../../etc/passwd, to create paths outside the intended fixture directory. Consequently, reading or writing fixtures could lead to unauthorized file access or modification anywhere the process had permissions. If the fixture name originated from user-controlled input, such as request parameters or configuration settings, this constituted a path traversal issue. The fix implemented in version 4.0.0 introduces validation in the fixture layer, rejecting names with characters like /, ``, .., or null bytes, and restricting the character set to safe options. Additionally, a defense-in-depth mechanism was added to the storage layer to ensure resolved paths remain within the base directory before any read or write operation.

Recommendations Upgrade to Saloon version 4.0.0 or later.