Advisory Database
  • Advisories
  • Dependency Scanning
  1. cargo
  2. ›
  3. rama
  4. ›
  5. GHSA-cwv4-h3j5-w3cf

GHSA-cwv4-h3j5-w3cf: rama has Stored XSS in ServeDir HTML directory listing via unescaped file names and URI path

July 7, 2026

plabayo/rama contains a stored/reflected cross-site scripting issue in the ServeDir HTML directory listing feature.

When ServeDir is configured with DirectoryServeMode::HtmlFileList, file names and URI path components are inserted directly into generated HTML without HTML escaping. If an attacker can create or influence a file or directory name inside a served directory, they may inject HTML or JavaScript into the directory listing page.

This can execute script in the browser of any user who visits the affected directory listing.

References

  • github.com/advisories/GHSA-cwv4-h3j5-w3cf
  • github.com/plabayo/rama/commit/89ddff578fd78bbebec99482d7030f28c07757a3
  • github.com/plabayo/rama/security/advisories/GHSA-cwv4-h3j5-w3cf

Code Behaviors & Features

Detect and mitigate GHSA-cwv4-h3j5-w3cf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →

Affected versions

All versions before 0.3.0-rc.1

Fixed versions

  • 0.3.0-rc.1

Solution

Upgrade to version 0.3.0-rc.1 or above.

Impact 3.7 LOW

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N

Learn more about CVSS

Weakness

  • CWE-116: Improper Encoding or Escaping of Output

Source file

cargo/rama/GHSA-cwv4-h3j5-w3cf.yml

Spotted a mistake? Edit the file on GitLab.

  • Site Repo
  • About GitLab
  • Terms
  • Privacy Statement
  • Contact

Page generated Wed, 08 Jul 2026 12:20:12 +0000.