Executive Summary

CVE-2026-28338 is a stored cross-site scripting (XSS) vulnerability in PMD, a static code analyzer, specifically affecting its legacy HTML report formats called vbhtml and yahtml.

These formats insert rule violation messages into HTML reports without properly escaping special characters, allowing malicious JavaScript code embedded in untrusted source code to execute when the report is viewed in a browser.

The vulnerability arises because the violation messages are embedded directly into the HTML output without escaping HTML special characters like <, >, and &.

This issue is fixed in PMD version 7.22.0 by properly escaping all dynamic content in the affected renderers.

The default html report format is not affected by this vulnerability.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to inject and execute arbitrary JavaScript code in the browser context of anyone viewing the generated HTML report.

If you use PMD with the vbhtml or yahtml report formats on untrusted source code, such as in CI/CD pipelines analyzing external contributions, malicious scripts can be stored in violation messages and executed when the report is opened.

This can lead to security risks such as theft of sensitive information, session hijacking, or other malicious actions performed by the injected script.

However, the practical impact is limited because these legacy formats are rarely used in practice.

Upgrading to PMD version 7.22.0 or later mitigates this risk by properly escaping all user-controllable content in the reports.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your PMD installation is generating reports using the legacy vbhtml or yahtml formats, which are vulnerable if the version is 7.21.0 or earlier.'}, {'type': 'paragraph', 'content': 'You can detect vulnerable reports by searching for HTML report files generated by PMD with these formats and inspecting them for unescaped JavaScript code in violation messages.'}, {'type': 'paragraph', 'content': 'A practical approach is to identify PMD runs with the following command to check the version and report format usage:'}, {'type': 'list_item', 'content': 'Check PMD version: `pmd --version`'}, {'type': 'list_item', 'content': "Search for vbhtml or yahtml report files in your build artifacts or report directories, e.g., `find . -name '*.vbhtml'` or `find . -name '*.yahtml'`"}, {'type': 'list_item', 'content': 'Manually inspect these files for suspicious unescaped HTML or JavaScript code in violation messages, for example by opening them in a text editor or using `grep` to search for script tags or event handlers like `onerror`.'}, {'type': 'paragraph', 'content': 'If you want to automate detection, you could run a command like:'}, {'type': 'list_item', 'content': "grep -E '<script|onerror|onload|javascript:' *.vbhtml *.yahtml"}, {'type': 'paragraph', 'content': 'Note that the vulnerability requires user interaction to trigger the JavaScript, so detection focuses on identifying vulnerable report files and PMD versions.'}] [1, 3]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate and recommended mitigation is to upgrade PMD to version 7.22.0 or later, where the vulnerability has been fixed by properly escaping all violation messages in the vbhtml and yahtml report formats.

If upgrading immediately is not possible, avoid generating reports using the legacy vbhtml or yahtml formats, and instead use the default html format which is not affected by this vulnerability.

Additionally, restrict access to any existing vbhtml or yahtml report files generated from untrusted source code to prevent users from opening potentially malicious reports.

Review your CI/CD pipeline configurations to ensure that untrusted source code is not analyzed with vulnerable report formats or that generated reports are not publicly exposed.

Useful 0 Not Useful 0