Cyber Resilience

CVE-2026-33183

High

Published: 26 March 2026

Published
26 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 8.0 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0057 42.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33183 is a high-severity Path Traversal (CWE-22) vulnerability in Saloon Saloon. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33183 is a path traversal vulnerability (CWE-22) affecting the Saloon PHP library, a tool for building API integrations and SDKs, in versions prior to 4.0.0. The issue arises because fixture names are used to construct file paths under a configured fixture directory without proper validation. This allows names containing path traversal segments, such as "../traversal" or "../../etc/passwd", to resolve to paths outside the intended directory. Consequently, applications using Saloon for reading fixtures (e.g., for mocking) or writing them (e.g., recording responses) risk accessing arbitrary files based on the process's permissions.

The vulnerability can be exploited by remote attackers with no required privileges (AV:N/AC:L/PR:N/UI:N), as indicated by its CVSS v3.1 base score of 9.1. Exploitation requires the fixture name to be derived from attacker-controlled input, such as request parameters or configuration values. Successful attacks enable high confidentiality impact through disclosure of sensitive files and high integrity impact by overwriting critical files, though availability remains unaffected (S:U/C:H/I:H/A:N).

Mitigation is addressed in Saloon version 4.0.0, which introduces validation at the fixture layer to reject names containing slashes (/ or \), parent directory references (..), null bytes, or characters outside a safe set. Additionally, defense-in-depth measures in the storage layer ensure resolved paths remain within the base directory before any read or write operations. Security practitioners should upgrade to version 4.0.0 or later, as detailed in the official upgrade guide and GitHub security advisory.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Saloon is a PHP library that gives users tools to build API integrations and SDKs. Prior to version 4.0.0, fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g.…

more

../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. request parameters or config), this constituted a path traversal vulnerability and could lead to disclosure of sensitive files or overwriting of critical files. The fix in version 4.0.0 adds validation in the fixture layer (rejecting names with /, \, .., or null bytes, and restricting to a safe character set) and defense-in-depth in the storage layer (ensuring the resolved path remains under the base directory before any read or write).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Path traversal in public-facing PHP library directly enables remote exploitation of the app (T1190), arbitrary local file reads (T1005), and arbitrary file writes that support tool/file ingress (T1105).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33942Same product: Saloon Saloon
CVE-2026-33182Same product: Saloon Saloon
CVE-2026-3795Shared CWE-22
CVE-2026-6615Shared CWE-22
CVE-2026-41589Shared CWE-22
CVE-2026-7214Shared CWE-22
CVE-2026-40876Shared CWE-22
CVE-2025-66687Shared CWE-22
CVE-2025-26753Shared CWE-22
CVE-2025-44177Shared CWE-22

Affected Assets

saloon
saloon
≤ 4.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents path traversal by validating fixture names against traversal sequences, slashes, and unsafe characters before constructing file paths.

prevent

Remediates the specific path traversal vulnerability by requiring upgrade to Saloon version 4.0.0 or later with fixture validation fixes.

prevent

Limits damage from successful path traversal by enforcing least privilege on the application process, restricting access to sensitive files.

References