CVE-2026-28338
- Source
- https://cve.org/CVERecord?id=CVE-2026-28338
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28338.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-28338
- Aliases
- Published
- 2026-02-27T20:28:05.739Z
- Modified
- 2026-04-02T13:32:46.221733Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages
- Details
-
PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's
vbhtmlandyahtmlreport formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited becausevbhtmlandyahtmlare legacy formats rarely used in practice. The defaulthtmlformat is properly escaped and not affected. Version 7.22.0 contains a fix for the issue. - Database specific
{ "cwe_ids": [ "CWE-79" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28338.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28338.json
- https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
- https://nvd.nist.gov/vuln/detail/CVE-2026-28338
- https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
- https://github.com/pmd/pmd/pull/6475
Affected packages
Git / github.com/pmd/pmd
Affected ranges
- Type
- GIT
- Repo
- https://github.com/pmd/pmd
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
6.*
6.21.0-with-designer
pmd-build/0.*
pmd-build/0.7
pmd-build/0.8
pmd-build/0.9
pmd-eclipse-plugin/4.*
pmd-eclipse-plugin/4.0.0.v20130510-1000
pmd-eclipse-plugin/4.0.1.v20130811-0001
pmd-eclipse-plugin/4.0.2.v20131031-1124
pmd_releases/4.*
pmd_releases/4.3
pmd_releases/5.*
pmd_releases/5.0.0
pmd_releases/5.0.1
pmd_releases/5.0.2
pmd_releases/5.0.3
pmd_releases/5.0.4
pmd_releases/5.0.5
pmd_releases/5.1.0
pmd_releases/5.1.1
pmd_releases/5.1.2
pmd_releases/5.1.3
pmd_releases/5.2.0
pmd_releases/5.2.1
pmd_releases/5.2.2
pmd_releases/5.2.3
pmd_releases/5.3.0
pmd_releases/5.3.1
pmd_releases/5.3.2
pmd_releases/5.3.3
pmd_releases/5.3.4
pmd_releases/5.3.5
pmd_releases/5.3.6
pmd_releases/5.3.7
pmd_releases/5.3.8
pmd_releases/5.4.0
pmd_releases/5.4.1
pmd_releases/5.4.2
pmd_releases/5.4.3
pmd_releases/5.4.4
pmd_releases/5.4.5
pmd_releases/5.4.6
pmd_releases/5.5.0
pmd_releases/5.5.1
pmd_releases/5.5.2
pmd_releases/5.5.3
pmd_releases/5.5.4
pmd_releases/5.5.5
pmd_releases/5.5.6
pmd_releases/5.5.7
pmd_releases/5.6.0
pmd_releases/5.6.1
pmd_releases/5.7.0
pmd_releases/5.8.0
pmd_releases/5.8.1
pmd_releases/6.*
pmd_releases/6.0.0
pmd_releases/6.0.1
pmd_releases/6.1.0
pmd_releases/6.10.0
pmd_releases/6.11.0
pmd_releases/6.12.0
pmd_releases/6.13.0
pmd_releases/6.14.0
pmd_releases/6.15.0
pmd_releases/6.16.0
pmd_releases/6.17.0
pmd_releases/6.18.0
pmd_releases/6.19.0
pmd_releases/6.2.0
pmd_releases/6.20.0
pmd_releases/6.21.0
pmd_releases/6.22.0
pmd_releases/6.23.0
pmd_releases/6.24.0
pmd_releases/6.25.0
pmd_releases/6.26.0
pmd_releases/6.27.0
pmd_releases/6.28.0
pmd_releases/6.29.0
pmd_releases/6.3.0
pmd_releases/6.30.0
pmd_releases/6.31.0
pmd_releases/6.32.0
pmd_releases/6.33.0
pmd_releases/6.34.0
pmd_releases/6.35.0
pmd_releases/6.36.0
pmd_releases/6.37.0
pmd_releases/6.38.0
pmd_releases/6.39.0
pmd_releases/6.4.0
pmd_releases/6.40.0
pmd_releases/6.41.0
pmd_releases/6.42.0
pmd_releases/6.43.0
pmd_releases/6.44.0
pmd_releases/6.45.0
pmd_releases/6.46.0
pmd_releases/6.47.0
pmd_releases/6.48.0
pmd_releases/6.49.0
pmd_releases/6.5.0
pmd_releases/6.50.0
pmd_releases/6.51.0
pmd_releases/6.52.0
pmd_releases/6.53.0
pmd_releases/6.54.0
pmd_releases/6.55.0
pmd_releases/6.6.0
pmd_releases/6.7.0
pmd_releases/6.8.0
pmd_releases/6.9.0
pmd_releases/7.*
pmd_releases/7.0.0
pmd_releases/7.0.0-rc1
pmd_releases/7.0.0-rc2
pmd_releases/7.0.0-rc3
pmd_releases/7.0.0-rc4
pmd_releases/7.0.0-rc4-dist
pmd_releases/7.0.0-rc4-pmd-compat6
pmd_releases/7.0.0-rc4-pmd-compat6+with-pr4749
pmd_releases/7.1.0
pmd_releases/7.10.0
pmd_releases/7.11.0
pmd_releases/7.12.0
pmd_releases/7.13.0
pmd_releases/7.14.0
pmd_releases/7.15.0
pmd_releases/7.16.0
pmd_releases/7.17.0
pmd_releases/7.18.0
pmd_releases/7.19.0
pmd_releases/7.2.0
pmd_releases/7.20.0
pmd_releases/7.21.0
pmd_releases/7.3.0
pmd_releases/7.4.0
pmd_releases/7.5.0
pmd_releases/7.6.0
pmd_releases/7.7.0
pmd_releases/7.8.0
pmd_releases/7.9.0