Search for packages
| purl | pkg:maven/net.sourceforge.pmd/pmd-core@5.2.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-5qps-qejj-pybk
Aliases: CVE-2026-28338 GHSA-8rr6-2qw5-pc7r |
PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. While the default `html` format is not affected via rule violation messages (it correctly uses `StringEscapeUtils.escapeHtml4()`), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped. |
Affected by 0 other vulnerabilities. |
|
VCID-frtg-nj69-aych
Aliases: CVE-2019-7722 GHSA-57qj-79gh-69w8 |
Improper Restriction of XML External Entity Reference PMD processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or request forgery attacks. |
Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-06-06T07:06:52.857221+00:00 | GitLab Importer | Affected by | VCID-5qps-qejj-pybk | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/net.sourceforge.pmd/pmd-core/CVE-2026-28338.yml | 38.6.0 |
| 2026-06-06T02:01:45.422910+00:00 | GitLab Importer | Affected by | VCID-frtg-nj69-aych | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/net.sourceforge.pmd/pmd-core/CVE-2019-7722.yml | 38.6.0 |