CVE-2026-22257: Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names

January 8, 2026

The function list_html generates a file view of a folder without sanitizing the files or folders names, potentially leading to XSS in cases where a website allows access to public files using this feature, allowing anyone to upload a file.

References

github.com/advisories/GHSA-54m3-5fxr-2f3j
github.com/salvo-rs/salvo
github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs
github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j
nvd.nist.gov/vuln/detail/CVE-2026-22257

Code Behaviors & Features

Detect and mitigate CVE-2026-22257 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →