Ahmedmokhtari

**Name of the Vulnerable Software and Affected Versions** Salvo versions prior to 0.88.1 **Description** Salvo is a Rust web backend framework. Prior to version 0.88.1, the `list html` function generates a file view of a folder, including a render of the current path. This path is inserted into the HTML without proper sanitation, leading to a reflected Cross-Site Scripting (XSS) issue. The request path is decoded and normalized during the matching stage but is inserted raw into the HTML view (`current.path`). The issue requires the root path (e.g., /files) to have a subdirectory (e.g., styles/scripts/etc.) to trigger the list HTML page instead of a Not Found page. **Recommendations** Versions prior to 0.88.1 should be updated to version 0.88.1 or later.

**Name of the Vulnerable Software and Affected Versions** Salvo versions prior to 0.88.1 **Description** Salvo is a Rust web backend framework. The `list html` function generates a file view of a folder without sanitizing file or folder names. This can lead to Cross-Site Scripting (XSS) if a website allows access to public files and anyone can upload files. The issue is exploitable through file uploads with malicious names. **Recommendations** Versions prior to 0.88.1 should be updated to version 0.88.1 or later.