The Salvo Rust web framework has two high-severity CVEs this period: CVE-2026-33241 (CVSS 7.5) allows unauthenticated denial of service via oversized HTTP requests that exhaust heap memory in the form_data() method and Extractible derive macro, and CVE-2026-33242 (CVSS 7.5) is a path traversal and access control bypass in the salvo-proxy component allowing ‘../’ sequences to reach protected upstream endpoints including administrative interfaces. Both are fixed in Salvo 0.89.3. Actions: update Cargo.toml to salvo 0.89.3 and rebuild all affected services; for CVE-2026-33242 deploy an upstream WAF to reject traversal sequences as an interim control if patching cannot begin immediately.