PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.
PUBLISHED5.2CWE-79
PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages
Problem type
Affected products
pmd
pmd
< 7.22.0 - AFFECTED
References
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
https://github.com/pmd/pmd/pull/6475
https://github.com/pmd/pmd/pull/6475
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
GitHub Security Advisories
GHSA-8rr6-2qw5-pc7r
PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages
https://github.com/advisories/GHSA-8rr6-2qw5-pc7rSummary
PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.
While the default html format is not affected via rule violation messages (it correctly uses StringEscapeUtils.escapeHtml4()), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.
Details
VBHTMLRenderer.java line 71 appends rv.getDescription() directly into HTML:
sb.append("<td><font class=body>").append(rv.getDescription()).append("</font></td>");
YAHTMLRenderer.java lines 196–203 does the same via renderViolationRow():
private String renderViolationRow(String name, String value) {
return "<tr><td><b>" + name + "</b></td>" + "<td>" + value + "</td></tr>";
}
Called at line 172:
out.print(renderViolationRow("Description:", violation.getDescription()));
The violation message originates from AvoidDuplicateLiteralsRule.java line 91, which embeds raw string literal values via first.toPrintableString(). This calls StringUtil.escapeJava() (line 476–480), which is a Java source escaper — it passes <, >, and & through unchanged because they are printable ASCII (0x20–0x7e).
By contrast, HTMLRenderer.java line 143 properly escapes:
String d = StringEscapeUtils.escapeHtml4(rv.getDescription());
PoC
- Create a Java file with 4+ duplicate string literals containing an HTML payload:
public class Exploit {
String a = "<img src=x onerror=alert(document.domain)>";
String b = "<img src=x onerror=alert(document.domain)>";
String c = "<img src=x onerror=alert(document.domain)>";
String d = "<img src=x onerror=alert(document.domain)>";
}
- Run PMD with the
vbhtmlformat:
pmd check -R category/java/errorprone.xml -f vbhtml -d Exploit.java -r report.html
- Open
report.htmlin a browser. A JavaScript alert executes showingdocument.domain.
The generated HTML contains the unescaped tag:
<td><font class=body>The String literal "<img src=x onerror=alert(document.domain)>" appears 4 times in this file</font></td>
Tested and confirmed on PMD 7.22.0-SNAPSHOT (commit bcc646c53d).
Impact
Stored cross-site scripting (XSS). Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g., pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.
Practical impact is limited because vbhtml and yahtml are legacy formats rarely used in practice. The default html format has a similar issue with user messages from suppressed violations.
Fixes
- See #6475: [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer
github.com
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
nvd.nist.gov
https://nvd.nist.gov/vuln/detail/CVE-2026-28338
github.com
https://github.com/pmd/pmd/pull/6475
github.com
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
github.com
https://github.com/advisories/GHSA-8rr6-2qw5-pc7r
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-28338Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-28338",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-02-27T20:28:05.739Z",
"dateReserved": "2026-02-26T18:38:13.889Z",
"datePublished": "2026-02-27T20:28:05.739Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-02-27T20:28:05.739Z"
},
"title": "PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages",
"descriptions": [
{
"lang": "en",
"value": "PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue."
}
],
"affected": [
{
"vendor": "pmd",
"product": "pmd",
"versions": [
{
"version": "< 7.22.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r",
"name": "https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r",
"tags": [
"x_refsource_CONFIRM"
]
},
{
"url": "https://github.com/pmd/pmd/pull/6475",
"name": "https://github.com/pmd/pmd/pull/6475",
"tags": [
"x_refsource_MISC"
]
},
{
"url": "https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442",
"name": "https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442",
"tags": [
"x_refsource_MISC"
]
}
],
"metrics": [
{
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "NONE",
"userInteraction": "REQUIRED",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM"
}
}
]
}
}
}