Cyber Resilience

CVE-2026-22257

HighPublic PoC

Published: 08 January 2026

Published
08 January 2026
Modified
05 March 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
EPSS Score 0.0030 21.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-22257 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Salvo Salvo. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 21.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-22257 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Salvo Rust web backend framework prior to version 0.88.1. The issue resides in the list_html function within the serve-static crate, which generates an HTML view of a folder's contents without sanitizing file or folder names. This flaw can lead to XSS when a website exposes public file access via this feature and permits file uploads.

Attackers without privileges can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no required user interaction beyond viewing the directory listing (UI:R), resulting in a changed scope (S:C). By uploading files with malicious names to an accessible directory, an unauthenticated attacker triggers XSS upon rendering of the list_html output, achieving high confidentiality impact (C:H), low integrity impact (I:L), and low availability impact (A:L), as reflected in the CVSS v3.1 base score of 8.8.

The vulnerability has been addressed in Salvo version 0.88.1. Security advisories recommend upgrading to this patched version. Additional details are available in the GitHub Security Advisory at https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j and the affected code at https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow…

more

the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

XSS in public-facing serve-static directory listing directly enables remote exploitation of web app (T1190) and facilitates browser session hijacking or cookie theft via injected scripts (T1185, T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22256Same product: Salvo Salvo
CVE-2026-33242Same product: Salvo Salvo
CVE-2026-33241Same product: Salvo Salvo
CVE-2024-10152Shared CWE-79
CVE-2018-25248Shared CWE-79
CVE-2025-25169Shared CWE-79
CVE-2026-32728Shared CWE-79
CVE-2024-41746Shared CWE-79
CVE-2025-25062Shared CWE-79
CVE-2026-27245Shared CWE-79

Affected Assets

salvo
salvo
≤ 0.88.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires filtering of information output to web browsers, directly preventing XSS execution from unsanitized file and folder names in directory listings generated by list_html.

prevent

Mandates timely identification, reporting, and correction of system flaws, such as patching Salvo to version 0.88.1 to fix the sanitization vulnerability.

prevent

Enforces validation of inputs like uploaded file names to block malicious payloads that could trigger XSS when rendered in directory listings.

References