CVE-2026-28338

Name of the Vulnerable Software and Affected Versions PMD versions prior to 7.22.0

Description PMD, a static code analyzer, contains a flaw where its vbhtml and yahtml report formats do not properly escape characters when inserting rule violation messages into HTML output. Analyzing untrusted source code with crafted string literals can lead to the generation of HTML reports containing executable JavaScript code that runs when the report is opened in a web browser. The default html format is not affected. The practical impact is limited as vbhtml and yahtml are legacy formats rarely used.

Recommendations Update to PMD version 7.22.0 or later.