php · jleehr/canto-saas-apiHeads-up

jleehr/canto-saas-api: Unencoded path variables in Request::buildRequestUrl()

Request::buildRequestUrl() inserts path variables without URL encoding, enabling path traversal or injection.

20 Jun 2026Read 1 minSeverity: schedule it

What changed

Request::buildRequestUrl() inserts path variables without URL encoding, enabling path traversal or injection. Fixed in 3.0.0 by encoding each segment with rawurlencode().

Who it affects

Applications using jleehr/canto-saas-api that pass untrusted input as path variables to request classes like GetContentDetailsRequest.

What to do today

Upgrade to version 3.0.0 or validate untrusted path variables against an allowlist pattern such as ^[A-Za-z0-9_-]+$.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · jleehr/canto-saas-api

jleehr/canto-saas-api: Unencoded path variables in Request::buildRequestUrl()

What changed

Who it affects

What to do today

More on jleehr/canto-saas-api

jleehr/canto-saas-api: OAuth2 token request now uses form-encoded POST body, exception messages sanitized

guzzlehttp/guzzle: cURL handlers now reject unsupported HTTPS proxies