Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-22257

CVE-2026-22257: Salvo Framework XSS Vulnerability

CVE-2026-22257 is a cross-site scripting flaw in Salvo Framework's list_html function that fails to sanitize file names, allowing XSS attacks. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2026-22257 Overview

CVE-2026-22257 is a Cross-Site Scripting (XSS) vulnerability in Salvo, a Rust web backend framework. Prior to version 0.88.1, the list_html function generates a file view of a folder without sanitizing the file or folder names. This missing input sanitization can lead to XSS attacks in cases where a website allows public access to files using this feature and permits arbitrary file uploads.

Critical Impact

Attackers can inject malicious scripts through crafted file or folder names, potentially compromising user sessions, stealing credentials, or performing actions on behalf of authenticated users in web applications using Salvo's static file serving feature.

Affected Products

  • Salvo web framework versions prior to 0.88.1
  • Applications using Salvo's serve-static crate with directory listing enabled
  • Web applications allowing public file uploads with directory browsing

Discovery Timeline

  • 2026-01-08 - CVE-2026-22257 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2026-22257

Vulnerability Analysis

This vulnerability stems from improper input validation (CWE-79) in Salvo's static file serving functionality. The list_html function, located in the serve-static crate's dir.rs module, renders directory listings as HTML without properly encoding or sanitizing file and folder names before including them in the output.

When a malicious actor uploads a file with a specially crafted name containing JavaScript code or HTML markup, the unsanitized filename is rendered directly in the directory listing page. Any user browsing the directory through the web interface would have the malicious script executed in their browser context.

The exploitation scenario requires two conditions: the application must use Salvo's directory listing feature to expose file directories to users, and there must be a mechanism allowing attackers to upload or create files with arbitrary names. This attack vector is particularly concerning for file sharing platforms, content management systems, or any application that allows user-generated content in public directories.

Root Cause

The root cause is the absence of HTML entity encoding when rendering file and folder names in the list_html function. The function directly interpolates filename strings into the HTML output without escaping special characters such as <, >, ", and &. This allows attackers to break out of the intended HTML context and inject arbitrary script content.

Attack Vector

The attack is network-based and requires user interaction. An attacker would first upload a file with a malicious name containing XSS payload (e.g., <script>alert(document.cookie)</script>.txt). When a victim browses the directory containing this file through Salvo's directory listing feature, their browser renders the unsanitized filename, executing the embedded JavaScript.

The vulnerability enables various XSS attack scenarios including session hijacking, credential theft, phishing within the application context, and drive-by malware downloads. Since the script executes in the context of the vulnerable application's origin, it has full access to cookies, local storage, and can make authenticated requests on behalf of the victim.

The vulnerability exists in the directory listing HTML generation code. For technical details and the specific code location, see the GitHub source code reference.

Detection Methods for CVE-2026-22257

Indicators of Compromise

  • Presence of files or folders with names containing HTML tags or JavaScript code (e.g., <script>, <img onerror=, javascript:)
  • Unusual file names with URL-encoded characters that decode to script content
  • Web server logs showing requests to directory listings followed by suspicious client-side behavior
  • User reports of unexpected browser behavior when browsing file directories

Detection Strategies

  • Implement file upload monitoring to detect and alert on filenames containing HTML or script content
  • Deploy web application firewall (WAF) rules to detect XSS patterns in directory listing responses
  • Use Content Security Policy (CSP) headers to mitigate script execution from inline sources
  • Monitor application logs for directory listing requests with unusual patterns
  • Conduct regular security scans of uploaded file directories for suspicious filenames

Monitoring Recommendations

  • Enable detailed logging for the static file serving module to track directory listing access
  • Implement alerting on file upload events where filenames contain potentially malicious patterns
  • Monitor browser-side telemetry for script errors or unexpected JavaScript execution in directory contexts
  • Review CSP violation reports for attempts to execute inline scripts in directory listing pages

How to Mitigate CVE-2026-22257

Immediate Actions Required

  • Upgrade Salvo to version 0.88.1 or later immediately
  • Audit existing file directories for files with potentially malicious names and rename or remove them
  • Implement Content Security Policy headers to restrict inline script execution
  • Consider temporarily disabling directory listing functionality until the patch is applied
  • Review and sanitize any existing user-uploaded filenames in public directories

Patch Information

The vulnerability has been patched in Salvo version 0.88.1. The fix implements proper HTML entity encoding for file and folder names before rendering them in directory listings. Upgrade to version 0.88.1 or later to remediate this vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-54m3-5fxr-2f3j.

Workarounds

  • Disable public directory listing functionality by removing or reconfiguring the serve-static handler
  • Implement server-side filename validation to reject uploads containing HTML special characters
  • Add a reverse proxy or WAF layer that sanitizes directory listing responses
  • Use Content Security Policy headers with strict script-src directives to prevent inline script execution
  • Implement custom directory listing logic that properly escapes all user-controlled content
bash
# Example: Add CSP header in reverse proxy (nginx)
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';" always;

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne