CVE-2026-28338

6.8 MEDIUM
Published: February 27, 2026 Modified: March 03, 2026
View on NVD

Description

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
Source: security-advisories@github.com
Patch
https://github.com/pmd/pmd/pull/6475
Source: security-advisories@github.com
Issue Tracking Patch
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
Source: security-advisories@github.com
Exploit Patch Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
6.8 / 10.0
EPSS (Exploit Probability)
0.0%
8th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-79

Affected Vendors

pmd_project

Related CVEs

CVE-2026-4514 6.3
CVE-2026-4513 6.3
CVE-2026-4511 6.3
CVE-2026-4510 4.3
CVE-2026-4373 7.5