CVE-2026-28338

low-risk

Published 2026-02-27

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.

Do I need to act?

0.02% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.8/10 Medium

NETWORK / HIGH complexity

Affected Products (1)

Pmd

Affected Vendors

Pmd Project

References (3)

Patch https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442

Issue Tracking https://github.com/pmd/pmd/pull/6475

Exploit https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal