Salvo list_html XSS vulnerabilities CVE-2026-22256 and CVE-2026-22257 fixed in 0.88.1

Salvo, the Rust web backend framework, fixed a reflected Cross-Site Scripting bug in its built-in directory listing function list_html in release 0.88.1; the issue is tracked as CVE-2026-22256 and GitHub advisory GHSA-rjf8-2wcw-f6mp is cited in vendor reports. NVD change history records "New CVE Received from GitHub, Inc. 1/08/2026 2:16:00 PM" and SentinelOne updated its CVE overview on January 22, 2026, advising immediate upgrades.

NVD and SentinelOne describe the root cause as the directory template rendering the request path without proper sanitization. NVD states that "the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation," and that the request path "is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path)." The NVD entry also notes a proof-of-concept constraint: "the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc…) so that the matching return the list HTML page instead of the Not Found page."

The Salvo maintainers addressed the vulnerability in 0.88.1 by encoding the path before rendering. SentinelOne summarizes the patch: "The fix implements proper HTML entity encoding for the current.path value before inserting it into the directory listing HTML template." SentinelOne's remediation guidance is explicit for Cargo-based projects: "# Update Salvo to patched version in Cargo.toml # Change: salvo = "0.88.0" or earlier # To: salvo = "0.88.1" cargo update -p salvo cargo build release"

A second identifier appears in one government mirror listing: CVE-2026-22257. Isomer's "More Details" text states that "Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1." That CVE-22257 text is present only in the Isomer/Gov.sg snippet supplied here and was not corroborated in the NVD or SentinelOne excerpts, so treat CVE-2026-22257 as needing confirmation against the GitHub advisory or Salvo changelog.

NVD maps the primary issue to CWE-79, "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')," and marks the CVE record "for NVD enrichment efforts." The provenance in the change history shows GitHub submitted the CVE to NVD, and SentinelOne points readers to the GitHub Security Advisory for patch details and linked commits.

If your service uses Salvo's directory listing or exposes public uploads, upgrade dependencies to salvo = "0.88.1" and rebuild the project immediately using the cargo commands above. Expect NVD to add further details during enrichment and check the GitHub Security Advisory GHSA-rjf8-2wcw-f6mp or Salvo 0.88.1 release notes for commit-level fixes and any maintainer guidance.