crates.io package
salvo
pkg:cargo/salvo
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-33241 | — | < 0.89.3 | 0.89.3 | Mar 23, 2026 | Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) condit | ||
| CVE-2026-33242 | — | >= 0.39.0, < 0.89.3 | 0.89.3 | Mar 23, 2026 | Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backen | ||
| CVE-2026-22257 | — | < 0.88.1 | 0.88.1 | Jan 8, 2026 | Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature an | ||
| CVE-2026-22256 | — | < 0.88.1 | 0.88.1 | Jan 8, 2026 | Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that reques |
- CVE-2026-33241Mar 23, 2026affected < 0.89.3fixed 0.89.3
Salvo is a Rust web framework. Prior to version 0.89.3, Salvo's form data parsing implementations (`form_data()` method and `Extractible` macro) do not enforce payload size limits before reading request bodies into memory. This allows attackers to cause Out-of-Memory (OOM) condit
- CVE-2026-33242Mar 23, 2026affected >= 0.39.0, < 0.89.3fixed 0.89.3
Salvo is a Rust web framework. Versions 0.39.0 through 0.89.2 have a Path Traversal and Access Control Bypass vulnerability in the salvo-proxy component. The vulnerability allows an unauthenticated external attacker to bypass proxy routing constraints and access unintended backen
- CVE-2026-22257Jan 8, 2026affected < 0.88.1fixed 0.88.1
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generates a file view of a folder without sanitizing the files or folders names, this may potentially lead to XSS in cases where a website allow the access to public files using this feature an
- CVE-2026-22256Jan 8, 2026affected < 0.88.1fixed 0.88.1
Salvo is a Rust web backend framework. Prior to version 0.88.1, the function list_html generate an file view of a folder which include a render of the current path, in which its inserted in the HTML without proper sanitation, this leads to reflected XSS using the fact that reques