Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by salvo
CVE-2026-33241 (GCVE-0-2026-33241)
Vulnerability from cvelistv5 – Published: 2026-03-23 23:41 – Updated: 2026-03-25 19:22
VLAI
Title
Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing
Summary
Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/salvo-rs/salvo/security/adviso… | x_refsource_CONFIRM |
| https://github.com/salvo-rs/salvo/releases/tag/v0.89.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33241",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T19:22:09.920768Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T19:22:48.083Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salvo",
"vendor": "salvo-rs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.89.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Salvo is a Rust web framework. Prior to version 0.89.3, Salvo\u0027s form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) conditions by sending extremely large payloads, leading to service crashes and denial of service. Version 0.89.3 contains a patch."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T23:41:50.533Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-pp9r-xg4c-8j4x"
},
{
"name": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3"
}
],
"source": {
"advisory": "GHSA-pp9r-xg4c-8j4x",
"discovery": "UNKNOWN"
},
"title": "Salvo Affected by Denial of Service via Unbounded Memory Allocation in Form Data Parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33241",
"datePublished": "2026-03-23T23:41:50.533Z",
"dateReserved": "2026-03-18T02:42:27.508Z",
"dateUpdated": "2026-03-25T19:22:48.083Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33242 (GCVE-0-2026-33242)
Vulnerability from cvelistv5 – Published: 2026-03-23 23:40 – Updated: 2026-03-24 15:12
VLAI
Title
Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass
Summary
Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths (e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize "../" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the "." character. Version 0.89.3 contains a patch.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/salvo-rs/salvo/security/adviso… | x_refsource_CONFIRM |
| https://github.com/salvo-rs/salvo/commit/7bac30e6… | x_refsource_MISC |
| https://github.com/salvo-rs/salvo/releases/tag/v0.89.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33242",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-24T14:13:09.802021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-24T15:12:45.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-f842-phm9-p4v4"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salvo",
"vendor": "salvo-rs",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.39.0, \u003c 0.89.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backend paths (e.g., protected endpoints or administrative dashboards). This issue stems from the encode_url_path function, which fails to normalize \"../\" sequences and inadvertently forwards them verbatim to the upstream server by not re-encoding the \".\" character. Version 0.89.3 contains a patch."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T23:40:39.886Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-f842-phm9-p4v4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-f842-phm9-p4v4"
},
{
"name": "https://github.com/salvo-rs/salvo/commit/7bac30e6960355c58e358e402072d4a3e5c4e1bb#diff-e319bf7afcb577f7e9f4fb767005072f6335d23f306dd52e8c94f3d222610d02R20",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salvo-rs/salvo/commit/7bac30e6960355c58e358e402072d4a3e5c4e1bb#diff-e319bf7afcb577f7e9f4fb767005072f6335d23f306dd52e8c94f3d222610d02R20"
},
{
"name": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salvo-rs/salvo/releases/tag/v0.89.3"
}
],
"source": {
"advisory": "GHSA-f842-phm9-p4v4",
"discovery": "UNKNOWN"
},
"title": "Salvo has a Path Traversal in salvo-proxy::encode_url_path allows API Gateway Bypass"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33242",
"datePublished": "2026-03-23T23:40:39.886Z",
"dateReserved": "2026-03-18T02:42:27.508Z",
"dateUpdated": "2026-03-24T15:12:45.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22257 (GCVE-0-2026-22257)
Vulnerability from cvelistv5 – Published: 2026-01-08 18:22 – Updated: 2026-01-08 18:38
VLAI
Title
Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names
Summary
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/salvo-rs/salvo/security/adviso… | x_refsource_CONFIRM |
| https://github.com/salvo-rs/salvo/blob/16efeba312… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22257",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T18:37:08.251260Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T18:38:12.920Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salvo",
"vendor": "salvo-rs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.88.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature and anyone can upload a file. This issue has been patched in version 0.88.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T18:22:05.661Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-54m3-5fxr-2f3j"
},
{
"name": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L581"
}
],
"source": {
"advisory": "GHSA-54m3-5fxr-2f3j",
"discovery": "UNKNOWN"
},
"title": "Salvo is vulnerable to stored XSS in the list_html function by uploading files with malicious names"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22257",
"datePublished": "2026-01-08T18:22:05.661Z",
"dateReserved": "2026-01-07T05:19:12.922Z",
"dateUpdated": "2026-01-08T18:38:12.920Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-22256 (GCVE-0-2026-22256)
Vulnerability from cvelistv5 – Published: 2026-01-08 18:21 – Updated: 2026-01-08 18:39
VLAI
Title
Salvo is vulnerable to reflected XSS in the list_html function
Summary
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc…) so that the matching return the list HTML page instead of the Not Found page. This issue has been patched in version 0.88.1.
Severity
8.8 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/salvo-rs/salvo/security/adviso… | x_refsource_CONFIRM |
| https://github.com/salvo-rs/salvo/blob/16efeba312… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-22256",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-08T18:39:24.943801Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T18:39:58.946Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "salvo",
"vendor": "salvo-rs",
"versions": [
{
"status": "affected",
"version": "\u003c 0.88.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that request path is decoded and normalized in the matching stage but not is inserted raw in the html view (current.path), the only constraint here is for the root path (eg. /files in the PoC example) to have a sub directory (e.g common ones styles/scripts/etc\u2026) so that the matching return the list HTML page instead of the Not Found page. This issue has been patched in version 0.88.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-08T18:21:57.861Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-rjf8-2wcw-f6mp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/salvo-rs/salvo/security/advisories/GHSA-rjf8-2wcw-f6mp"
},
{
"name": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L593",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/salvo-rs/salvo/blob/16efeba312a274739606ce76366d921768628654/crates/serve-static/src/dir.rs#L593"
}
],
"source": {
"advisory": "GHSA-rjf8-2wcw-f6mp",
"discovery": "UNKNOWN"
},
"title": "Salvo is vulnerable to reflected XSS in the list_html function"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-22256",
"datePublished": "2026-01-08T18:21:57.861Z",
"dateReserved": "2026-01-07T05:19:12.922Z",
"dateUpdated": "2026-01-08T18:39:58.946Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}