CVE-2026-22257 is a cross-site scripting (XSS) vulnerability identified in the Rust-based web backend framework salvo, specifically affecting versions prior to 0.88.1. The vulnerability stems from the list_html function, which generates an HTML view of a folder's contents but fails to sanitize file and folder names before rendering them. This improper neutralization of input (CWE-79) allows an attacker to inject malicious scripts into the generated HTML page. If a web application uses this feature to provide public access to files and allows users to upload files, an attacker can upload a file with a crafted name containing malicious JavaScript. When other users access the folder view, the malicious script executes in their browsers, potentially stealing session tokens, redirecting users, or performing other malicious actions. The CVSS v3.1 score of 8.8 reflects the vulnerability's high impact, with network attack vector, low attack complexity, no privileges required, but requiring user interaction. The scope is changed because the vulnerability affects the confidentiality, integrity, and availability of users interacting with the affected web application. Although no known exploits are currently reported in the wild, the vulnerability is critical for any public-facing salvo-based web services that allow file uploads. The issue was addressed in salvo version 0.88.1 by properly sanitizing file and folder names before HTML generation, preventing script injection.

For European organizations, this vulnerability poses a significant risk to web applications built on the salvo framework that expose file directories to public users and allow file uploads. Successful exploitation can lead to theft of sensitive user data, session hijacking, and potential spread of malware through malicious scripts. This undermines user trust and can lead to regulatory non-compliance under GDPR due to data confidentiality breaches. The partial integrity loss and availability degradation can disrupt services and cause reputational damage. Organizations in sectors with high public interaction such as e-commerce, government portals, and cloud storage providers are particularly vulnerable. The ease of exploitation without authentication and the high CVSS score indicate a strong need for immediate remediation to prevent targeted attacks or opportunistic exploitation by attackers scanning for vulnerable salvo instances.

European organizations should immediately upgrade all salvo framework instances to version 0.88.1 or later to apply the official patch that sanitizes file and folder names. Additionally, implement strict input validation and sanitization on all user-supplied data, especially file names and metadata. Restrict or disable public file uploads where possible, or enforce rigorous file type and content validation to prevent malicious payloads. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. Monitor web application logs for unusual file upload activity and anomalous requests targeting the list_html feature. Conduct regular security audits and penetration tests focusing on XSS vulnerabilities in web interfaces. Educate developers on secure coding practices related to output encoding and input sanitization in Rust web frameworks.