Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-5qps-qejj-pybk
Vulnerability ID VCID-5qps-qejj-pybk
Aliases CVE-2026-28338
GHSA-8rr6-2qw5-pc7r
Summary PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. While the default `html` format is not affected via rule violation messages (it correctly uses `StringEscapeUtils.escapeHtml4()`), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00022 https://api.first.org/data/v1/epss?cve=CVE-2026-28338
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-8rr6-2qw5-pc7r
cvssv3.1 6.8 https://github.com/pmd/pmd
generic_textual MODERATE https://github.com/pmd/pmd
cvssv3.1 6.8 https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
generic_textual MODERATE https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
ssvc Track https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
cvssv3.1 6.8 https://github.com/pmd/pmd/pull/6475
generic_textual MODERATE https://github.com/pmd/pmd/pull/6475
ssvc Track https://github.com/pmd/pmd/pull/6475
cvssv3.1 6.8 https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
cvssv3.1_qr MODERATE https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
generic_textual MODERATE https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
ssvc Track https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
cvssv3.1 6.8 https://nvd.nist.gov/vuln/detail/CVE-2026-28338
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-28338
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-28338
https://github.com/pmd/pmd
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
https://github.com/pmd/pmd/pull/6475
CVE-2026-28338 https://nvd.nist.gov/vuln/detail/CVE-2026-28338
GHSA-8rr6-2qw5-pc7r https://github.com/advisories/GHSA-8rr6-2qw5-pc7r
GHSA-8rr6-2qw5-pc7r https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/pmd/pmd
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T20:25:54Z/ Found at https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/pmd/pmd/pull/6475
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T20:25:54Z/ Found at https://github.com/pmd/pmd/pull/6475
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-03T20:25:54Z/ Found at https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-28338
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.0649
EPSS Score 0.00022
Published At June 5, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-02T04:51:00.409051+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/net.sourceforge.pmd/pmd-core/CVE-2026-28338.yml 38.6.0