CVE-2026-22256 is a reflected Cross-Site Scripting (XSS) vulnerability classified under CWE-79, found in the Salvo Rust web backend framework before version 0.88.1. The vulnerability exists in the list_html function, which generates an HTML view of a folder's contents. This function inserts the current request path into the HTML output without proper sanitization, allowing malicious input to be reflected in the response. The request path is decoded and normalized during routing but is inserted directly into the HTML view, enabling attackers to craft URLs that inject arbitrary JavaScript code. The vulnerability requires that the root path has a subdirectory to trigger the listing page instead of a 404 Not Found page. Exploitation is possible remotely without authentication but requires user interaction to visit the malicious URL. The CVSS v3.1 score is 8.8 (high), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change with high confidentiality impact, limited integrity impact, and low availability impact. Although no known exploits are reported in the wild yet, the vulnerability poses a significant risk for web applications using affected Salvo versions. The issue has been fixed in version 0.88.1 by properly sanitizing the path input before rendering it in HTML.

For European organizations, this vulnerability can lead to the execution of arbitrary JavaScript in the context of affected web applications, potentially exposing sensitive user data such as session tokens, personal information, or enabling phishing attacks. The reflected XSS can also be leveraged to perform actions on behalf of authenticated users, leading to partial integrity compromise. Availability impact is low but possible through script-based attacks causing client-side disruptions. Organizations using Salvo in public-facing web services, especially those exposing directory listings or file views, are at risk. This can affect sectors like finance, healthcare, and government where web applications handle sensitive data. The vulnerability's ease of exploitation and high confidentiality impact make it a critical concern for maintaining trust and compliance with European data protection regulations such as GDPR.

The primary mitigation is to upgrade all Salvo framework instances to version 0.88.1 or later, where the vulnerability is patched. Additionally, organizations should audit any custom HTML rendering code that inserts user-controlled input, ensuring proper output encoding and sanitization to prevent XSS. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks. Web Application Firewalls (WAFs) can be configured to detect and block suspicious request patterns targeting path parameters. Regular security testing, including automated scanning and manual code reviews focusing on input handling, should be integrated into the development lifecycle. Finally, educate developers about secure coding practices related to input validation and output encoding in web applications.