Description

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.

INFO

Published Date :

2026-02-27T20:28:05.739Z

Last Modified :

2026-02-27T20:28:05.739Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28338 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28338.

URL Resource
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442 cve-icon cve-icon
https://github.com/pmd/pmd/pull/6475 cve-icon cve-icon
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact