CVE-2026-28338

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N                                    

Vulnerability Description

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.

Vulnerability Details

Published Date

February 27, 2026

Last Modified

February 28, 2026

CWE ID

CWE-79

Source

NVD

Vendor

pmd

Product

pmd

External References

https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
https://github.com/pmd/pmd/pull/6475
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r

CVE-2026-28338

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment