CVE-2026-22257
Unknown Unknown - Not Provided
Stored XSS in Salvo list_html Function Allows File-Based Attacks

Publication date: 2026-01-08

Last updated on: 2026-03-05

Assigner: GitHub, Inc.

Description
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-03-05
Generated
2026-06-16
AI Q&A
2026-01-08
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22257
EUVD
EUVD-2026-1423
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
salvo salvo to 0.88.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22257 is a stored Cross-Site Scripting (XSS) vulnerability in the Rust web backend framework Salvo, specifically in the list_html function that generates a file view of a folder. The vulnerability occurs because the function does not sanitize file or folder names before embedding them into HTML output. This allows an attacker to upload files with malicious names containing executable JavaScript, which then gets rendered unsanitized in the directory listing, leading to stored XSS and potential execution of malicious scripts in users' browsers. [1]

Impact Analysis

This vulnerability can lead to the execution of malicious JavaScript in users' browsers when they view the directory listing containing files with malicious names. This can result in account takeover or other malicious actions depending on the site's Content Security Policy and other security measures. The impact includes high confidentiality impact, low integrity impact, and low availability impact, with a high severity CVSS score of 8.8. It can be exploited remotely without privileges but requires user interaction. [1]

Detection Guidance

This vulnerability can be detected by checking if your application uses the vulnerable salvo versions (≀ 0.88.0) and if it allows file uploads with unsanitized names that are then displayed via the list_html function or static directory listing with auto_list enabled. A practical detection method is to attempt uploading a file with a name containing a simple XSS payload (e.g., <script>alert(1)</script>) and then accessing the directory listing to see if the script executes. There are no specific commands provided, but you can test by uploading files with suspicious names and inspecting the HTML output for unsanitized input. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade the salvo package to version 0.88.1 or later, where the vulnerability has been patched by properly sanitizing file and folder names before rendering them in HTML. Additionally, if upgrading is not immediately possible, you should disable directory auto-listing or implement your own sanitization of file and folder names before displaying them in any HTML views. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22257. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart