Vulnerability Description
PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Pmd Project | Pmd | < 7.22.0 |
Related Weaknesses (CWE)
References
- https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442Patch
- https://github.com/pmd/pmd/pull/6475Issue TrackingPatch
- https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7rExploitPatchVendor Advisory
FAQ
What is CVE-2026-28338?
CVE-2026-28338 is a vulnerability with a CVSS score of 6.8 (MEDIUM). PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD ...
How severe is CVE-2026-28338?
CVE-2026-28338 has been rated MEDIUM with a CVSS base score of 6.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-28338?
Check the references section above for vendor advisories and patch information. Affected products include: Pmd Project Pmd.