8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22256

CVE-2026-22256: Salvo is vulnerable to reflected XSS in the list_html function

Summary

The function list_html generates an file view of a folder which includes a render of the current path, in which its inserted in the HTML without proper sanitation, leading to reflected XSS. The request path is decoded and normalized in the matching stage but is not inserted raw in the HTML view (current.path). The only constraint here is for the root path (e.g., /files in the PoC example) to have a subdirectory (e. g., common ones like styles/scripts/etc.) so that the matching returns the list HTML page instead of the Not Found page.

Details

The vulnerable snippet of code is the following: dir.rs

// ... fn list_html(...
    let mut ftxt = format!(
        r#"<!DOCTYPE html><html><head>
        <meta charset="utf-8">
        <meta name="viewport" content="width=device-width">
        <title>{}</title>
        <style>{}</style></head><body><header><h3>Index of: {}</h3></header><hr/>"#,
        current.path,
        HTML_STYLE,
        header_links(&current.path)
    );
// ...

As seen here <title>{}</title> it is inserted unsafely.

PoC

https://github.com/user-attachments/assets/92a29a67-547b-40a5-af26-f1b0dd332702

Here is the example app, note this doesn’t need an upload feature (e.g to the other reported vulnerability), only the sub-folder is required.

main.rs

use salvo::prelude::*;
use salvo::serve_static::StaticDir;
use tokio::fs;

#[tokio::main]
async fn main() {
    tracing_subscriber::fmt().init();
    fs::create_dir_all("uploads").await.expect("create uploads dir");

    let router = Router::new()
        .push(
            Router::with_path("files/{**rest_path}")
                .get(StaticDir::new("uploads").auto_list(true)),
        );

    let acceptor = TcpListener::new("127.0.0.1:5800").bind().await;
    Server::new(acceptor).serve(router).await;
}

Cargo.toml

[package]
name = "salvo-staticdir-xss-poc"
version = "0.1.0"
edition = "2024"

[dependencies]
salvo = { version = "0.85.0", features = ["serve-static"] }
tokio = { version = "1", features = ["macros", "rt-multi-thread", "fs"] }
tracing-subscriber = "0.3"

Setup commands:

mkdir uploads
mkdir uploads/bla

Impact

JavaScript execution, most likely leading to an account takeover, depending on the site's constraint (CSP, etc…).

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22256

CVE-2026-22256:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
salvo	rust	< 0.88.1	0.88.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability, a reflected XSS, is located in the list_html function of the salvo web framework, specifically within the salvo_serve_static crate. The vulnerability description explicitly points to this function and the unsanitized use of current.path. By analyzing the commits between the last vulnerable version (0.88.0) and the first patched version (0.88.1), I identified the fixing commit 6f1f42c447b0ee8efc752f763b8a46791b4b5113. The patch within this commit clearly shows the introduction of the encode_url_path function to sanitize the path before it's embedded in the HTML response inside the list_html function in crates/serve-static/src/dir.rs. The vulnerable code was directly using the request path in the HTML, which is a classic reflected XSS vulnerability. The fix involves escaping the user-provided path, which confirms the function's role in the vulnerability.

Vulnerable functions

salvo::serve_static::dir::list_html

crates/serve-static/src/dir.rs

The function `list_html` was vulnerable to reflected Cross-Site Scripting (XSS). It directly used the `current.path` value, derived from the request URL, within the `<title>` tag of the generated HTML directory listing page. This allowed an attacker to inject malicious scripts into the page by crafting a URL with a malicious path. The patch mitigates this by encoding the path using the `encode_url_path` function before it is rendered in the HTML, thus preventing the script injection.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22256: Salvo is vulnerable to reflected XSS in the list_html function

Summary

Details

PoC

Impact

CVE-2026-22256:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2026-22256: Salvo is vulnerable to reflected XSS in the list_html function

Summary

Details

PoC

Impact

Technical Details

8.8

8.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI