CVE-2026-22257

HighPublic PoC

Published: 08 January 2026

Published

08 January 2026

Modified

05 March 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

EPSS Score 0.0003 8.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22257 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Salvo Salvo. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match

prevent

Requires filtering of information output to web browsers, directly preventing XSS execution from unsanitized file and folder names in directory listings generated by list_html.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of system flaws, such as patching Salvo to version 0.88.1 to fix the sanitization vulnerability.

SI-10 Information Input Validation good match

prevent

Enforces validation of inputs like uploaded file names to block malicious payloads that could trigger XSS when rendered in directory listings.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1185 Browser Session Hijacking Collection

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

XSS in public-facing serve-static directory listing directly enables remote exploitation of web app (T1190) and facilitates browser session hijacking or cookie theft via injected scripts (T1185, T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow…

the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1.

Deeper analysisAI

CVE-2026-22257 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting the Salvo Rust web backend framework prior to version 0.88.1. The issue resides in the list_html function within the serve-static crate, which generates an HTML view of a folder's contents without sanitizing file or folder names. This flaw can lead to XSS when a website exposes public file access via this feature and permits file uploads.

Attackers without privileges can exploit this vulnerability over the network (AV:N) with low attack complexity (AC:L) and no required user interaction beyond viewing the directory listing (UI:R), resulting in a changed scope (S:C). By uploading files with malicious names to an accessible directory, an unauthenticated attacker triggers XSS upon rendering of the list_html output, achieving high confidentiality impact (C:H), low integrity impact (I:L), and low availability impact (A:L), as reflected in the CVSS v3.1 base score of 8.8.

The vulnerability has been addressed in Salvo version 0.88.1. Security advisories recommend upgrading to this patched version. Additional details are available in the GitHub Security Advisory at https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j and the affected code at https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581.