CVE-2026-22257
Stored XSS in Salvo list_html Function Allows File-Based Attacks
Publication date: 2026-01-08
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| salvo | salvo | to 0.88.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22257 is a stored Cross-Site Scripting (XSS) vulnerability in the Rust web backend framework Salvo, specifically in the list_html function that generates a file view of a folder. The vulnerability occurs because the function does not sanitize file or folder names before embedding them into HTML output. This allows an attacker to upload files with malicious names containing executable JavaScript, which then gets rendered unsanitized in the directory listing, leading to stored XSS and potential execution of malicious scripts in users' browsers. [1]
How can this vulnerability impact me? :
This vulnerability can lead to the execution of malicious JavaScript in users' browsers when they view the directory listing containing files with malicious names. This can result in account takeover or other malicious actions depending on the site's Content Security Policy and other security measures. The impact includes high confidentiality impact, low integrity impact, and low availability impact, with a high severity CVSS score of 8.8. It can be exploited remotely without privileges but requires user interaction. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your application uses the vulnerable salvo versions (β€ 0.88.0) and if it allows file uploads with unsanitized names that are then displayed via the list_html function or static directory listing with auto_list enabled. A practical detection method is to attempt uploading a file with a name containing a simple XSS payload (e.g., <script>alert(1)</script>) and then accessing the directory listing to see if the script executes. There are no specific commands provided, but you can test by uploading files with suspicious names and inspecting the HTML output for unsanitized input. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the salvo package to version 0.88.1 or later, where the vulnerability has been patched by properly sanitizing file and folder names before rendering them in HTML. Additionally, if upgrading is not immediately possible, you should disable directory auto-listing or implement your own sanitization of file and folder names before displaying them in any HTML views. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.