Description
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc…) so that the matching return the list HTML page instead of the Not Found page. This issue has been patched in version 0.88.1.
Published: 2026-01-08
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Reflected XSS (client‑side injection)
Action: Patch now
AI Analysis

Impact

Salvo, a Rust web backend framework, contains a reflected XSS flaw in the list_html function in all releases prior to 0.88.1. The function generates a file listing page that inserts the request path directly into the HTML without sanitization. An attacker can craft a URL with malicious JavaScript embedded in the path; when the server normalises the path during matching and renders it in the page, the payload executes in the victim’s browser. This flaw enables attackers to compromise user confidentiality and integrity, potentially hijacking sessions or stealing information, and is classified as CWE‑79.

Affected Systems

All deployments of salvo-rs:salvo running any version earlier than 0.88.1 that expose a directory listing via list_html (such as a publicly reachable /files path containing at least one subdirectory).

Risk and Exploitability

The vulnerability scores a CVSS of 8.8, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of widespread exploitation, and it is not yet listed in the CISA KEV catalog. However, the flaw is exploitable without authentication; an attacker only needs to direct a web user to a specially crafted URL to trigger script execution. The only requirement is that the vulnerable route be accessible, making the attack broadly feasible on affected installations.

Generated by OpenCVE AI on April 18, 2026 at 07:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Salvo version 0.88.1 or later, which sanitizes the path before rendering the directory listing.
  • If upgrading immediately is not possible, disable or restrict the directory listing route (e.g., the /files path) to prevent public access to unfiltered content.
  • Validate and escape any user‑supplied path data before including it in generated HTML, ensuring that future code changes do not reintroduce similar sanitisation gaps.

Generated by OpenCVE AI on April 18, 2026 at 07:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rjf8-2wcw-f6mp Salvo is vulnerable to reflected XSS in the list_html function
History

Thu, 05 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Salvo
Salvo salvo
CPEs cpe:2.3:a:salvo:salvo:*:*:*:*:*:rust:*:*
Vendors & Products Salvo
Salvo salvo

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Salvo-rs
Salvo-rs salvo
Vendors & Products Salvo-rs
Salvo-rs salvo

Thu, 08 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
Description Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc…) so that the matching return the list HTML page instead of the Not Found page. This issue has been patched in version 0.88.1.
Title Salvo is vulnerable to reflected XSS in the list_html function
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L'}

Subscriptions

Salvo Salvo
Salvo-rs Salvo
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T18:39:58.946Z

Reserved: 2026-01-07T05:19:12.922Z

Link: CVE-2026-22256

cve-icon Vulnrichment

Updated: 2026-01-08T18:39:35.888Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T19:16:00.107

Modified: 2026-03-05T17:43:05.760

Link: CVE-2026-22256

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')