CVE-2026-22256 – This is a reflected cross-site scripting (XSS) ... (How to Fix)

Q: What is the severity of CVE-2026-22256?

CVE-2026-22256 has a CVSS score of 8.8 (HIGH). This is a reflected cross-site scripting (XSS) vulnerability in the Salvo Rust web framework's directory listing functionality. Attackers can inject malicious scripts via URL paths that get rendered without proper sanitization in the HTML file view. Any application using Salvo's static file serving with directory listing enabled is affected.

📋 TL;DR

This is a reflected cross-site scripting (XSS) vulnerability in the Salvo Rust web framework's directory listing functionality. Attackers can inject malicious scripts via URL paths that get rendered without proper sanitization in the HTML file view. Any application using Salvo's static file serving with directory listing enabled is affected.

💻 Affected Systems

Products:

Salvo Rust web framework

Versions: All versions prior to 0.88.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires directory listing functionality to be enabled and accessible via a path with subdirectories.

📦 What is this software?

Salvo by Salvo

View all CVEs affecting Salvo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as the user, or redirecting to malicious sites.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the directory listing page through script injection.

🟢

If Mitigated

Limited impact if directory listing is disabled or proper input validation is implemented elsewhere.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious URLs but is straightforward once the vulnerable endpoint is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.88.1

Vendor Advisory: https://github.com/salvo-rs/salvo/security/advisories/GHSA-rjf8-2wcw-f6mp

Restart Required: Yes

Instructions:

1. Update Salvo dependency to version 0.88.1 or later in Cargo.toml. 2. Run 'cargo update'. 3. Rebuild and redeploy the application.

🔧 Temporary Workarounds

Disable directory listing

all

Disable the directory listing functionality in Salvo's static file serving configuration.

Modify Salvo configuration to disable directory listing for static file routes

Implement WAF rules

all

Add web application firewall rules to block malicious path patterns containing script tags or JavaScript.

🧯 If You Can't Patch

Disable directory listing functionality entirely in Salvo configuration
Implement reverse proxy with input sanitization for path parameters

🔍 How to Verify

Check if Vulnerable:

Check if Salvo version is below 0.88.1 and directory listing is enabled for static file routes.

Check Version:

grep -A1 'salvo' Cargo.lock | grep version

Verify Fix Applied:

Verify Salvo version is 0.88.1 or higher in Cargo.lock and test directory listing endpoints with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with suspicious characters in path parameters (e.g., <script>, javascript:, onerror=)

Network Indicators:

Unusual GET requests to directory listing endpoints with encoded script payloads

SIEM Query:

http.method:GET AND http.uri:*<script>* AND http.user_agent:*Salvo*

📊 Metadata

CVE ID: CVE-2026-22256

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

CWE: CWE-79

Published: January 8, 2026

Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22256, you might also want to check these: