Home / Vulnerability Intelligence / CVE-2026-33942

CVE-2026-33942 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 26, 2026

Saloon - Insecure Deserialization

Published: March 26, 2026Updated: March 26, 2026Remote Exploitable

Overview

Saloon < 4.0.0 contains an insecure deserialization vulnerability caused by use of PHP's unserialize() with allowed_classes=true in AccessTokenAuthenticator::unserialize(), letting attackers supply crafted serialized objects leading to remote code execution, exploit requires attacker control over serialized input.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 32.5%(Probability of exploitation in next 30 days)

Impact

Attackers controlling serialized input can achieve remote code execution, potentially compromising the entire system.

Mitigation

Update to version 4.0.0 or later which removes PHP serialization in AccessTokenAuthenticator.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 27, 2026

🔴 CVE-2026-33942 - Critical (9.8) Saloon is a PHP library that gives users tools to build API integrations and SDKs. Versions prior to 4.0.0 used PHP's unserialize() in AccessTokenAuthenticator::unserialize() to restore OAuth token state from cache or storage, with allowed_classes... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33942/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33942
Severity: Critical
CVSS Score: 9.8
Type: insecure_deserialization
Status: confirmed
EPSS: 32.5%
Social Posts: 1

CWE

CWE-502

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

32.5%Probability of exploitation in the next 30 days