{"url":"http://public2.vulnerablecode.io/api/packages/973508?format=json","purl":"pkg:maven/net.sourceforge.pmd/pmd-core@6.19.0","type":"maven","namespace":"net.sourceforge.pmd","name":"pmd-core","version":"6.19.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"7.22.0","latest_non_vulnerable_version":"7.22.0","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/50457?format=json","vulnerability_id":"VCID-5qps-qejj-pybk","summary":"PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages\nPMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.\n\nWhile the default `html` format is not affected via rule violation messages (it correctly uses `StringEscapeUtils.escapeHtml4()`), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28338","reference_id":"","reference_type":"","scores":[{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06484","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06436","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06428","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.06474","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00022","scoring_system":"epss","scoring_elements":"0.0649","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-28338"},{"reference_url":"https://github.com/pmd/pmd","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pmd/pmd"},{"reference_url":"https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T20:25:54Z/"}],"url":"https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442"},{"reference_url":"https://github.com/pmd/pmd/pull/6475","reference_id":"","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T20:25:54Z/"}],"url":"https://github.com/pmd/pmd/pull/6475"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28338","reference_id":"CVE-2026-28338","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-28338"},{"reference_url":"https://github.com/advisories/GHSA-8rr6-2qw5-pc7r","reference_id":"GHSA-8rr6-2qw5-pc7r","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8rr6-2qw5-pc7r"},{"reference_url":"https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r","reference_id":"GHSA-8rr6-2qw5-pc7r","reference_type":"","scores":[{"value":"6.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T20:25:54Z/"}],"url":"https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/74364?format=json","purl":"pkg:maven/net.sourceforge.pmd/pmd-core@7.22.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/net.sourceforge.pmd/pmd-core@7.22.0"}],"aliases":["CVE-2026-28338","GHSA-8rr6-2qw5-pc7r"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5qps-qejj-pybk"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:maven/net.sourceforge.pmd/pmd-core@6.19.0"}