← Volver a CVEs
CVE-2026-28338
MEDIUM6.8
Descripcion
PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.
Detalles CVE
Puntuacion CVSS v3.16.8
SeveridadMEDIUM
Vector CVSSCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Vector de ataqueNETWORK
ComplejidadHIGH
Privilegios requeridosNONE
Interaccion usuarioREQUIRED
Publicado2/27/2026
Ultima modificacion3/3/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
pmd_project:pmd
Debilidades (CWE)
CWE-79
Referencias
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442(security-advisories@github.com)
https://github.com/pmd/pmd/pull/6475(security-advisories@github.com)
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r(security-advisories@github.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.