The saloonphp/saloon dependency has release a new version who fixed two security patches.
+-------------------+----------------------------------------------------------------------------------+
| Package | saloonphp/saloon |
| Severity | medium |
| Advisory ID | PKSA-rnpm-45mg-w6ht |
| CVE | CVE-2026-33183 |
| Title | Saloon has a Fixture Name Path Traversal Vulnerability |
| URL | https://github.com/advisories/GHSA-f7xc-5852-fj99 |
| Affected versions | <4.0.0 |
| Reported at | 2026-03-25T22:00:43+00:00 |
| Ignore reason | None specified |
+-------------------+----------------------------------------------------------------------------------+
+-------------------+----------------------------------------------------------------------------------+
| Package | saloonphp/saloon |
| Severity | medium |
| Advisory ID | PKSA-5szq-gvrg-ttfq |
| CVE | CVE-2026-33182 |
| Title | Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint |
| | overriding base URL |
| URL | https://github.com/advisories/GHSA-c83f-3xp6-hfcp |
| Affected versions | <4.0.0 |
| Reported at | 2026-03-25T22:00:13+00:00 |
| Ignore reason | None specified |
+-------------------+----------------------------------------------------------------------------------+
With the latest versions of Composer, a security alert is triggered during package installation. I just ignored the warning for the moment.
Gathering patches for root package.
Loading composer repositories with package information Updating dependencies
Your requirements could not be resolved to an installable set of packages.
Problem 1
- Root composer.json requires shipstream/fedex-rest-sdk 1.4.0 -> satisfiable by shipstream/fedex-rest-sdk[v1.4.0].
- shipstream/fedex-rest-sdk v1.4.0 requires saloonphp/saloon ^3.8 -> found saloonphp/saloon[v3.8.0, ..., v3.15.0] but these were not loaded, because they are affected by security advisories ("PKSA-rnpm-45mg-w6ht", "PKSA-5szq-gvrg-ttfq"). Go to https://packagist.org/security-advisories/ to find advisory details. To ignore the advisories, add them to the audit "ignore" config. To turn the feature off entirely, you can set "block-insecure" to false in your "audit" config.
I am waiting for a new release including saloonphp/saloon version 4.0.0. Do you plan to do so?
Thank you.
Best regards
The saloonphp/saloon dependency has release a new version who fixed two security patches.
With the latest versions of Composer, a security alert is triggered during package installation. I just ignored the warning for the moment.
I am waiting for a new release including saloonphp/saloon version 4.0.0. Do you plan to do so?
Thank you.
Best regards