GHSA-8rr6-2qw5-pc7r
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8rr6-2qw5-pc7r
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-8rr6-2qw5-pc7r/GHSA-8rr6-2qw5-pc7r.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8rr6-2qw5-pc7r
- Aliases
- Published
- 2026-02-28T02:49:29Z
- Modified
- 2026-02-28T06:43:32.470831Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages
- Details
-
Summary
PMD's
vbhtmlandyahtmlreport formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.While the default
htmlformat is not affected via rule violation messages (it correctly usesStringEscapeUtils.escapeHtml4()), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.Details
VBHTMLRenderer.javaline 71 appendsrv.getDescription()directly into HTML:sb.append("<td><font class=body>").append(rv.getDescription()).append("</font></td>");YAHTMLRenderer.javalines 196–203 does the same viarenderViolationRow():private String renderViolationRow(String name, String value) { return "<tr><td><b>" + name + "</b></td>" + "<td>" + value + "</td></tr>"; }Called at line 172:
out.print(renderViolationRow("Description:", violation.getDescription()));The violation message originates from
AvoidDuplicateLiteralsRule.javaline 91, which embeds raw string literal values viafirst.toPrintableString(). This callsStringUtil.escapeJava()(line 476–480), which is a Java source escaper — it passes<,>, and&through unchanged because they are printable ASCII (0x20–0x7e).By contrast,
HTMLRenderer.javaline 143 properly escapes:String d = StringEscapeUtils.escapeHtml4(rv.getDescription());PoC
Create a Java file with 4+ duplicate string literals containing an HTML payload:
public class Exploit { String a = "<img src=x onerror=alert(document.domain)>"; String b = "<img src=x onerror=alert(document.domain)>"; String c = "<img src=x onerror=alert(document.domain)>"; String d = "<img src=x onerror=alert(document.domain)>"; }Run PMD with the
vbhtmlformat:pmd check -R category/java/errorprone.xml -f vbhtml -d Exploit.java -r report.htmlOpen
report.htmlin a browser. A JavaScript alert executes showingdocument.domain.
The generated HTML contains the unescaped tag:
<td><font class=body>The String literal "<img src=x onerror=alert(document.domain)>" appears 4 times in this file</font></td>Tested and confirmed on PMD 7.22.0-SNAPSHOT (commit bcc646c53d).
Impact
Stored cross-site scripting (XSS). Affects CI/CD pipelines that run PMD with
--format vbhtmlor--format yahtmlon untrusted source code (e.g., pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.Practical impact is limited because
vbhtmlandyahtmlare legacy formats rarely used in practice. The defaulthtmlformat has a similar issue with user messages from suppressed violations.Fixes
- See #6475: [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer
- Database specific
{ "nvd_published_at": "2026-02-27T21:16:19Z", "github_reviewed_at": "2026-02-28T02:49:29Z", "github_reviewed": true, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE" }- References
Affected packages
Maven / net.sourceforge.pmd:pmd-core
Package
- Name
- net.sourceforge.pmd:pmd-core
- View open source insights on deps.dev
- Purl
- pkg:maven/net.sourceforge.pmd/pmd-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed7.22.0