ByteOS Network

NVD Vulnerability Details :

CVE-2026-28338

Received

Source-security-advisories@github.com

Published At-27 Feb, 2026 | 21:16

Updated At-27 Feb, 2026 | 21:16

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	3.1	6.8	MEDIUM	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Type: Secondary

Version: 3.1

Base score: 6.8

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Weaknesses

CWE ID	Type	Source
CWE-79	Primary	security-advisories@github.com

CWE ID: CWE-79

Type: Primary

Source: security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442	security-advisories@github.com	N/A
https://github.com/pmd/pmd/pull/6475	security-advisories@github.com	N/A
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r	security-advisories@github.com	N/A