CVE-2026-33183
Path Traversal in Saloon PHP Library Allows Arbitrary File Access
Publication date: 2026-03-26
Last updated on: 2026-03-30
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| saloon | saloon | to 4.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33183 is a path traversal vulnerability in the Saloon PHP library versions prior to 4.0.0. The issue occurs because fixture names were used directly to build file paths within the configured fixture directory without proper validation.
If a fixture name contained path traversal sequences like "../" or absolute paths such as "../../etc/passwd", the constructed file path could escape the intended fixture directory.
This means that when the application read or wrote a fixture, it could access files anywhere the process had permission, potentially allowing an attacker to read sensitive files or overwrite critical files if the fixture name was derived from user-controlled input.
The vulnerability is addressed in Saloon version 4.0.0 by adding validation to reject unsafe fixture names and by ensuring file operations remain within the base directory.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to read sensitive files or overwrite critical files on the system where the Saloon library is used.
If fixture names are derived from user or attacker-controlled input, the attacker could exploit this to access or modify files outside the intended directory.
Such unauthorized file access or modification could lead to disclosure of sensitive information, data corruption, or disruption of application functionality.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade the Saloon PHP package to version 4.0.0 or later.
Version 4.0.0 includes important fixes that validate fixture names to reject unsafe characters and path traversal sequences, and also ensure that file operations remain within the intended fixture directory.
Users should refer to the official upgrade guide to properly apply the update and secure their systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to read or write arbitrary files accessible by the process, potentially leading to disclosure of sensitive information or overwriting critical files.
Such unauthorized access or modification of sensitive data could result in non-compliance with data protection regulations and standards like GDPR or HIPAA, which require safeguarding personal and sensitive information against unauthorized access.
Therefore, if exploited, this vulnerability could compromise the confidentiality and integrity of sensitive data, impacting compliance with these common standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves path traversal through fixture names used in the Saloon PHP package prior to version 4.0.0. Detection involves identifying if any fixture names contain path traversal sequences such as '../', '..\', or absolute paths that escape the intended fixture directory.
To detect exploitation attempts or vulnerable usage on your system, you can search for fixture names or file paths containing suspicious path traversal patterns in logs or configuration files.
- Use grep or similar tools to search for '../' or '..\' in fixture-related files or logs, for example: grep -r "\.\./" /path/to/fixture/directory
- Check application logs or request parameters for fixture names containing path traversal sequences.
- Monitor file system access patterns for unexpected reads or writes outside the fixture directory.
Since the vulnerability is in the application layer, there are no specific network commands to detect it directly, but monitoring application inputs and file accesses for path traversal patterns is recommended.