CVE-2026-22256
Published: 08 January 2026
Summary
CVE-2026-22256 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Salvo Salvo. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Browser Session Hijacking (T1185); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 directly prevents reflected XSS by requiring filtering of outputs like the raw request path inserted into HTML directory listings.
SI-10 requires validation of information inputs such as decoded request paths to block malicious XSS payloads before they reach the HTML rendering stage.
SI-2 mandates timely flaw remediation, including patching Salvo to version 0.88.1, to eliminate the unsanitized path insertion vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables malicious link delivery (spearphishing) followed by browser session hijacking and web session cookie theft.
NVD Description
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this…
more
leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc…) so that the matching return the list HTML page instead of the Not Found page. This issue has been patched in version 0.88.1.
Deeper analysisAI
CVE-2026-22256 is a reflected cross-site scripting (XSS) vulnerability (CWE-79) in Salvo, a Rust web backend framework. It affects versions prior to 0.88.1, specifically in the serve-static crate's `list_html` function within `dir.rs`. The issue arises when generating an HTML file view for a folder, as the current request path—decoded and normalized during the matching stage—is inserted raw into the HTML without proper sanitization, enabling XSS payloads.
Remote unauthenticated attackers can exploit this vulnerability over the network with low complexity by crafting a malicious request path targeting a root path (e.g., /files) that has subdirectories (such as styles or scripts), ensuring the server returns the directory listing HTML page instead of a Not Found response. Exploitation requires user interaction, such as a victim visiting a malicious URL, and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L). Successful attacks can lead to high confidentiality impact, such as theft of sensitive data like session cookies, with low impacts on integrity and availability due to the changed scope.
The vulnerability has been patched in Salvo version 0.88.1. The GitHub security advisory (GHSA-rjf8-2wcw-f6mp) details the issue, and the source code change is visible in the commit at crates/serve-static/src/dir.rs#L593. Security practitioners should upgrade to version 0.88.1 or later and review directory listing configurations to mitigate exposure.
Details
- CWE(s)