CVE-2026-33942 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 26, 2026
Saloon - Insecure Deserialization
Published: March 26, 2026Updated: March 26, 2026Remote Exploitable
Overview
Saloon < 4.0.0 contains an insecure deserialization vulnerability caused by use of PHP's unserialize() with allowed_classes=true in AccessTokenAuthenticator::unserialize(), letting attackers supply crafted serialized objects leading to remote code execution, exploit requires attacker control over serialized input.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers controlling serialized input can achieve remote code execution, potentially compromising the entire system.
Mitigation
Update to version 4.0.0 or later which removes PHP serialization in AccessTokenAuthenticator.
References
Related Resources
Details
- CVE ID
- CVE-2026-33942
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- insecure_deserialization
- Status
- confirmed
CWE
- CWE-502
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H