Description
Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).
Published: 2026-03-26
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: Data Disclosure & File Modification
Action: Immediate Patch
AI Analysis

Impact

Saloon, a PHP library used for API integrations, contains a path traversal flaw in its fixture handling logic. Before version 4.0.0 the system accepted fixture names directly as file path components. An attacker who could influence the fixture name, such as through request parameters or configuration values, could inject path segments like ../ or ../../etc/passwd. This allows reading arbitrary files or writing files wherever the PHP process has permission. The flaw maps to CWE‑22 and poses a threat to confidentiality and integrity.

Affected Systems

The issue affects saloonphp:saloon products for all releases prior to 4.0.0. There is no narrower version restriction listed; therefore any version from the earliest releases up to 3.x is vulnerable. The vendor recommends upgrading to version 4.0.0 or later, where input validation and path checking have been added to the fixture layer.

Risk and Exploitability

The CVSS score of 8.0 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the wild. The vulnerability is not catalogued in CISA KEV. Attackers would need to supply a crafted fixture name with a user‑controlled source; thus the vector is likely application‑level, possibly via an API endpoint exposing new fixtures or legacy configuration files. The confirmed risk is that an adversary could read sensitive system files or overwrite configuration and code files, potentially leading to compromise of the application or further lateral movement.

Generated by OpenCVE AI on March 30, 2026 at 18:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Saloon to version 4.0.0 or later.
  • If an upgrade is not immediately possible, restrict fixture handling to trusted inputs or disable it for user‑controlled data.
  • Verify that the fixture directory resides in a location not exposed to the web and that file write operations are restricted to that directory.

Generated by OpenCVE AI on March 30, 2026 at 18:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-f7xc-5852-fj99 Saloon has a Fixture Name Path Traversal Vulnerability
History

Mon, 30 Mar 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Saloon
Saloon saloon
CPEs cpe:2.3:a:saloon:saloon:*:*:*:*:*:*:*:*
Vendors & Products Saloon
Saloon saloon
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Thu, 26 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Saloonphp
Saloonphp saloon
Vendors & Products Saloonphp
Saloonphp saloon

Thu, 26 Mar 2026 01:00:00 +0000

Type Values Removed Values Added
Description Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).
Title Saloon has a Fixture Name Path Traversal Vulnerability
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Saloon Saloon
Saloonphp Saloon
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T18:21:32.435Z

Reserved: 2026-03-17T22:16:36.720Z

Link: CVE-2026-33183

cve-icon Vulnrichment

Updated: 2026-03-26T18:21:28.912Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T01:16:27.210

Modified: 2026-03-30T16:48:35.323

Link: CVE-2026-33183

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:57:45Z

Weaknesses