Is saloonphp/saloon affected by CVE-2026-33182?

Packagist saloonphp/saloon is affected in <4.0.0.

Is CVE-2026-33182 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

medium

CVE-2026-33182

Q: Is CVE-2026-33182 being exploited?

Not on the CISA KEV list. EPSS exploit probability is 0.4%.

Packagist · saloonphp/saloon

Summary

Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL

Severity: medium
EPSS: 0.4% (p33)
Also known as: GHSA-c83f-3xp6-hfcp
Published: 2026-03-25

References

https://github.com/saloonphp/saloon/security/advisories/GHSA-c83f-3xp6-hfcp
https://nvd.nist.gov/vuln/detail/CVE-2026-33182
https://docs.saloon.dev/upgrade/upgrading-from-v3-to-v4

Related advisories

CVE-2026-33942 — high · Packagist/saloonphp/saloon
CVE-2026-33183 — medium · Packagist/saloonphp/saloon

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Check my repo

Summarize with AI

ChatGPT Claude Perplexity

Sources: CISA KEV (public domain), OSV.dev & GitHub Advisory Database (CC-BY-4.0), FIRST EPSS, NVD/CWE (public domain). Served live from the Stateward advisory database.