CVE-2026-28338: PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages

February 28, 2026

PMD’s vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.

While the default html format is not affected via rule violation messages (it correctly uses StringEscapeUtils.escapeHtml4()), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.

References

github.com/advisories/GHSA-8rr6-2qw5-pc7r
github.com/pmd/pmd
github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
github.com/pmd/pmd/pull/6475
github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
nvd.nist.gov/vuln/detail/CVE-2026-28338

Code Behaviors & Features

Detect and mitigate CVE-2026-28338 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →