CVE-2026-22256
Reflected XSS in Salvo list_html Path Rendering Before
Publication date: 2026-01-08
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| salvo | salvo | to 0.88.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted HTTP requests with malicious payloads in the URL path to the Salvo server and observing if the response HTML reflects the unsanitized path, indicating reflected XSS. For example, you can use curl to request a URL with a script tag in the path under a directory that has subdirectories (to trigger the listing page). Example command: curl -i 'http://your-salvo-server/files/<script>alert(1)</script>/' and check if the response HTML contains the injected script tag unescaped. Additionally, using web vulnerability scanners that detect reflected XSS by injecting payloads into URL paths can help identify this issue. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Salvo framework to version 0.88.1 or later, where this vulnerability has been patched. If upgrading is not immediately possible, restrict access to the affected endpoints or disable directory listing features that generate the vulnerable HTML view. Implementing Web Application Firewall (WAF) rules to block suspicious requests containing script tags in URL paths can also help reduce risk until the patch is applied. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows reflected Cross-Site Scripting (XSS) attacks, which can lead to arbitrary JavaScript execution in users' browsers. This can result in unauthorized access to sensitive information or user accounts, potentially violating data protection requirements under standards like GDPR or HIPAA. Exploitation could compromise confidentiality and integrity of data, thereby affecting compliance with these regulations. However, specific compliance impacts depend on the context of the deployed application and its data handling. [1]
Can you explain this vulnerability to me?
This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the Rust web backend framework Salvo, specifically in versions prior to 0.88.1. The function list_html generates an HTML view of a folder and inserts the current request path directly into the HTML without proper sanitization. Because the request path is decoded and normalized but not safely escaped before being embedded in the HTML, an attacker can craft a malicious URL path that injects arbitrary JavaScript code into the page. This leads to reflected XSS, allowing script execution in the victim's browser when they visit the crafted URL. Exploitation requires the root path to have at least one subdirectory so that the directory listing page is returned instead of a 404 error. The issue was fixed in version 0.88.1. [1]
How can this vulnerability impact me? :
Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to various attacks such as account takeover, theft of sensitive information, session hijacking, or other malicious actions depending on the site's Content Security Policy and other defenses. The vulnerability has a high severity with a CVSS score of 8.8, indicating significant impact on confidentiality, with some impact on integrity and availability as well. [1]