CVE-2026-22256 Overview
CVE-2026-22256 is a reflected Cross-Site Scripting (XSS) vulnerability discovered in Salvo, a Rust web backend framework. The vulnerability exists in the list_html function that generates a file view of directories. The current request path is rendered in the HTML output without proper sanitization, allowing attackers to inject malicious scripts through crafted URLs. Although the request path is decoded and normalized during the matching stage, it is inserted raw into the HTML view via current.path, creating an injection point for XSS attacks.
Critical Impact
Attackers can execute arbitrary JavaScript in victims' browsers by crafting malicious URLs, potentially leading to session hijacking, credential theft, and unauthorized actions on behalf of authenticated users.
Affected Products
- Salvo Web Framework versions prior to 0.88.1
- Applications using Salvo's static file serving with directory listing enabled
- Web services exposing directory browsing functionality through Salvo
Discovery Timeline
- January 8, 2026 - CVE-2026-22256 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-22256
Vulnerability Analysis
This reflected XSS vulnerability stems from improper output encoding in Salvo's directory listing functionality. The list_html function in dir.rs renders directory contents as HTML, including the current path in the output. The core issue is that while Salvo's routing layer performs URL decoding and path normalization during request matching, the path value is subsequently inserted directly into the HTML response without HTML entity encoding or other sanitization measures.
The vulnerability can be exploited when a directory listing page is accessible and the root path contains at least one subdirectory (such as styles/, scripts/, or similar common directories). This constraint exists because without a valid subdirectory, the application returns a "Not Found" page instead of rendering the directory listing HTML that contains the vulnerable code path.
When a victim clicks a malicious link containing JavaScript payload in the URL path, the unsanitized path is reflected in the HTML response, causing the browser to execute the injected script in the context of the vulnerable application's origin.
Root Cause
The root cause is a missing output encoding step in the list_html function located in crates/serve-static/src/dir.rs. Specifically, at line 593, the current.path value is embedded into the HTML template without escaping special HTML characters such as <, >, ", ', and &. This allows URL-encoded payloads to bypass server-side filters during routing, only to be decoded and rendered as executable HTML/JavaScript in the victim's browser.
Attack Vector
The attack is network-based and requires user interaction—specifically, the victim must click a malicious link or visit a compromised page that redirects to the vulnerable endpoint. An attacker constructs a URL targeting the static file serving endpoint with an XSS payload embedded in the path. The payload must be URL-encoded to pass through the initial request processing, after which it gets decoded and inserted into the HTML response.
For example, an attacker could craft a URL targeting a path like /files/<script>alert(1)</script>/styles/ where the malicious script is URL-encoded. When the server processes this request and finds a matching subdirectory, it renders the directory listing with the unsanitized path, executing the attacker's JavaScript in the victim's browser.
For detailed technical information, see the GitHub Security Advisory and the vulnerable code section.
Detection Methods for CVE-2026-22256
Indicators of Compromise
- Unusual URL patterns in web server logs containing HTML tags or JavaScript keywords (encoded or decoded) in directory paths
- HTTP requests to static file endpoints with <script>, onerror=, onload=, or similar XSS payload patterns
- Client-side security tools or browser extensions blocking script execution from directory listing pages
- User reports of unexpected behavior or redirects when accessing file listing pages
Detection Strategies
- Deploy Web Application Firewall (WAF) rules to detect and block requests containing XSS payloads in URL paths
- Implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks by restricting script execution
- Configure intrusion detection systems to alert on URL patterns containing encoded HTML special characters targeting static file endpoints
- Use runtime application self-protection (RASP) solutions to detect XSS exploitation attempts
Monitoring Recommendations
- Enable verbose logging on static file serving endpoints and monitor for anomalous path patterns
- Set up alerts for requests to directory listing endpoints containing non-alphanumeric characters beyond standard path separators
- Monitor browser console errors from client-side telemetry that may indicate blocked XSS attempts
- Review access logs periodically for reconnaissance activity targeting directory structures
How to Mitigate CVE-2026-22256
Immediate Actions Required
- Upgrade Salvo to version 0.88.1 or later immediately, which contains the security patch for this vulnerability
- If immediate upgrade is not possible, disable directory listing functionality until the patch can be applied
- Implement Content Security Policy headers as a defense-in-depth measure to reduce XSS impact
- Conduct a security review of any custom handlers that render user-controlled input in HTML responses
Patch Information
The Salvo development team has addressed this vulnerability in version 0.88.1. The fix implements proper HTML entity encoding for the current.path value before inserting it into the directory listing HTML template. Organizations using affected versions should update to 0.88.1 or the latest available version. Detailed patch information and the security advisory are available at the GitHub Security Advisory.
Workarounds
- Disable the directory listing feature entirely by removing or reconfiguring static file serving handlers
- Place a reverse proxy or WAF in front of the application configured to strip or reject requests with suspicious characters in paths
- Implement server-side input validation to reject requests containing HTML special characters in file paths
- Use network segmentation to limit exposure of directory listing endpoints to trusted networks only
# Update Salvo to patched version in Cargo.toml
# Change: salvo = "0.88.0" or earlier
# To: salvo = "0.88.1"
cargo update -p salvo
cargo build --release
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
