Salvo is a Rust web backend framework. Prior to version 0.88.1, its list_html function renders a directory listing without sanitizing file or folder names. An attacker who can upload a file with a maliciously crafted name that includes script tags can cause the generated page to execute that script in the browsers of any user who views the listing. The vulnerability is a stored cross‑site scripting flaw that could be exploited to steal session information, deface sites, or perform other malicious actions as the victim user. The description indicates that the issue arises when public files are accessible and the framework does not validate filenames.

Versions of Salvo earlier than 0.88.1, including 0.88.0 and earlier releases, are affected because the bug resides in the crates/serve-static/src/dir.rs file. The vulnerability was fixed in commit 16efeba... and is addressed in the 0.88.1 release announced by the maintainers. Any deployments that still use the vulnerable code and allow file uploads to the directory listing endpoint remain exposed. The affected product is the Salvo Rust crate, as listed by the CNA.

The CVSS score of 8.8 signals a high impact. Although the EPSS score is below 1 % and the vulnerability is not currently in CISA’s KEV catalog, the possibility of an attacker being able to upload arbitrary filenames gives the flaw a potentially wide‑scope attack surface. The exploitation path requires the attacker only to supply a file name containing script content; if the target site permits unauthenticated uploads, the risk level rises. Once the malicious name is displayed, the script runs in the context of any user that views the directory listing, compromising confidentiality and integrity of the application and its users.