{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-22257", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-07T05:19:12.922Z", "datePublished": "2026-01-08T18:22:05.661Z", "dateUpdated": "2026-01-08T18:38:12.920Z"}, "containers": {"cna": {"title": "Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j"}, {"name": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581", "tags": ["x_refsource_MISC"], "url": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581"}], "affected": [{"vendor": "salvo-rs", "product": "salvo", "versions": [{"version": "< 0.88.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T18:22:05.661Z"}, "descriptions": [{"lang": "en", "value": "Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1."}], "source": {"advisory": "GHSA-54m3-5fxr-2f3j", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-08T18:37:08.251260Z", "id": "CVE-2026-22257", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T18:38:12.920Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-22257", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-08T18:37:08.251260Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-08T18:38:08.608Z"}}], "cna": {"title": "Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names", "source": {"advisory": "GHSA-54m3-5fxr-2f3j", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "salvo-rs", "product": "salvo", "versions": [{"status": "affected", "version": "< 0.88.1"}]}], "references": [{"url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j", "name": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581", "name": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-08T18:22:05.661Z"}}}, "cveMetadata": {"cveId": "CVE-2026-22257", "state": "PUBLISHED", "dateUpdated": "2026-01-08T18:38:12.920Z", "dateReserved": "2026-01-07T05:19:12.922Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-08T18:22:05.661Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:salvo:salvo:*:*:*:*:*:rust:*:*", "matchCriteriaId": "E869772F-499D-4D50-8718-6D68B3AC6543", "versionEndExcluding": "0.88.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1."}], "id": "CVE-2026-22257", "lastModified": "2026-03-05T17:42:52.990", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.3, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-08T19:16:00.277", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T07:33:02.490498+00:00", "value": {"mitigation_remediation": ["Upgrade to Salvo 0.88.1 or later, which contains the fixed list_html sanitization.", "If upgrading is not immediately possible, enforce strict validation of uploaded file names to remove or escape characters that can trigger XSS.", "Restrict access to the folder listing to authenticated users or disable the public directory listing feature entirely."], "summary": {"action": "Update", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "Versions of Salvo earlier than 0.88.1, including 0.88.0 and earlier releases, are affected because the bug resides in the crates/serve-static/src/dir.rs file. The vulnerability was fixed in commit 16efeba... and is addressed in the 0.88.1 release announced by the maintainers. Any deployments that still use the vulnerable code and allow file uploads to the directory listing endpoint remain exposed. The affected product is the Salvo Rust crate, as listed by the CNA.", "description_and_impact": "Salvo is a Rust web backend framework. Prior to version 0.88.1, its list_html function renders a directory listing without sanitizing file or folder names. An attacker who can upload a file with a maliciously crafted name that includes script tags can cause the generated page to execute that script in the browsers of any user who views the listing. The vulnerability is a stored cross\u2011site scripting flaw that could be exploited to steal session information, deface sites, or perform other malicious actions as the victim user. The description indicates that the issue arises when public files are accessible and the framework does not validate filenames.", "risk_and_exploitability": "The CVSS score of 8.8 signals a high impact. Although the EPSS score is below 1\u202f% and the vulnerability is not currently in CISA\u2019s KEV catalog, the possibility of an attacker being able to upload arbitrary filenames gives the flaw a potentially wide\u2011scope attack surface. The exploitation path requires the attacker only to supply a file name containing script content; if the target site permits unauthenticated uploads, the risk level rises. Once the malicious name is displayed, the script runs in the context of any user that views the directory listing, compromising confidentiality and integrity of the application and its users."}}}}, "created": "2026-01-09T13:24:14.495594+00:00", "updated": "2026-04-18T07:45:24.973251+00:00", "vendors": ["salvo-rs", "salvo-rs$PRODUCT$salvo"]}