6.8
CVE-2026-28338
- EPSS 0.3%
- Veröffentlicht 27.02.2026 20:28:05
- Zuletzt bearbeitet 03.03.2026 18:43:33
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginPMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages
PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Pmd Project ≫ Pmd Version < 7.22.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.211 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| security-advisories@github.com | 6.8 | 1.6 | 5.2 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
https://github.com/pmd/pmd/pull/6475
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442