GHSA-8RR6-2QW5-PC7R

Vulnerability from github – Published: 2026-02-28 02:49 – Updated: 2026-02-28 02:49
VLAI?
Summary
PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages
Details

Summary

PMD's vbhtml and yahtml report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.

While the default html format is not affected via rule violation messages (it correctly uses StringEscapeUtils.escapeHtml4()), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.

Details

VBHTMLRenderer.java line 71 appends rv.getDescription() directly into HTML:

sb.append("<td><font class=body>").append(rv.getDescription()).append("</font></td>");

YAHTMLRenderer.java lines 196–203 does the same via renderViolationRow():

private String renderViolationRow(String name, String value) {
    return "<tr><td><b>" + name + "</b></td>" + "<td>" + value + "</td></tr>";
}

Called at line 172:

out.print(renderViolationRow("Description:", violation.getDescription()));

The violation message originates from AvoidDuplicateLiteralsRule.java line 91, which embeds raw string literal values via first.toPrintableString(). This calls StringUtil.escapeJava() (line 476–480), which is a Java source escaper — it passes <, >, and & through unchanged because they are printable ASCII (0x20–0x7e).

By contrast, HTMLRenderer.java line 143 properly escapes:

String d = StringEscapeUtils.escapeHtml4(rv.getDescription());

PoC

  1. Create a Java file with 4+ duplicate string literals containing an HTML payload:
public class Exploit {
    String a = "<img src=x onerror=alert(document.domain)>";
    String b = "<img src=x onerror=alert(document.domain)>";
    String c = "<img src=x onerror=alert(document.domain)>";
    String d = "<img src=x onerror=alert(document.domain)>";
}
  1. Run PMD with the vbhtml format:
pmd check -R category/java/errorprone.xml -f vbhtml -d Exploit.java -r report.html
  1. Open report.html in a browser. A JavaScript alert executes showing document.domain.

The generated HTML contains the unescaped tag:

<td><font class=body>The String literal "<img src=x onerror=alert(document.domain)>" appears 4 times in this file</font></td>

Tested and confirmed on PMD 7.22.0-SNAPSHOT (commit bcc646c53d).

Impact

Stored cross-site scripting (XSS). Affects CI/CD pipelines that run PMD with --format vbhtml or --format yahtml on untrusted source code (e.g., pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.

Practical impact is limited because vbhtml and yahtml are legacy formats rarely used in practice. The default html format has a similar issue with user messages from suppressed violations.

Fixes

  • See #6475: [core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer
Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 7.21.0"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "net.sourceforge.pmd:pmd-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.22.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-28338"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-28T02:49:29Z",
    "nvd_published_at": "2026-02-27T21:16:19Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nPMD\u0027s `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser.\n\nWhile the default `html` format is not affected via rule violation messages (it correctly uses `StringEscapeUtils.escapeHtml4()`), it has a similar problem when rendering suppressed violations. The user supplied message (the reason for the suppression) was not escaped.\n\n### Details\n`VBHTMLRenderer.java` line 71 appends `rv.getDescription()` directly into HTML:\n\n```java\nsb.append(\"\u003ctd\u003e\u003cfont class=body\u003e\").append(rv.getDescription()).append(\"\u003c/font\u003e\u003c/td\u003e\");\n```\n\n`YAHTMLRenderer.java` lines 196\u2013203 does the same via `renderViolationRow()`:\n\n```java\nprivate String renderViolationRow(String name, String value) {\n    return \"\u003ctr\u003e\u003ctd\u003e\u003cb\u003e\" + name + \"\u003c/b\u003e\u003c/td\u003e\" + \"\u003ctd\u003e\" + value + \"\u003c/td\u003e\u003c/tr\u003e\";\n}\n```\n\nCalled at line 172:\n\n```java\nout.print(renderViolationRow(\"Description:\", violation.getDescription()));\n```\n\nThe violation message originates from `AvoidDuplicateLiteralsRule.java` line 91, which embeds raw string literal values via `first.toPrintableString()`. This calls `StringUtil.escapeJava()` (line 476\u2013480), which is a Java source escaper \u2014 it passes `\u003c`, `\u003e`, and `\u0026` through unchanged because they are printable ASCII (0x20\u20130x7e).\n\nBy contrast, `HTMLRenderer.java` line 143 properly escapes:\n\n```java\nString d = StringEscapeUtils.escapeHtml4(rv.getDescription());\n```\n### PoC\n\n1. Create a Java file with 4+ duplicate string literals containing an HTML payload:\n\n```java\npublic class Exploit {\n    String a = \"\u003cimg src=x onerror=alert(document.domain)\u003e\";\n    String b = \"\u003cimg src=x onerror=alert(document.domain)\u003e\";\n    String c = \"\u003cimg src=x onerror=alert(document.domain)\u003e\";\n    String d = \"\u003cimg src=x onerror=alert(document.domain)\u003e\";\n}\n```\n\n2. Run PMD with the `vbhtml` format:\n\n```bash\npmd check -R category/java/errorprone.xml -f vbhtml -d Exploit.java -r report.html\n```\n\n3. Open `report.html` in a browser. A JavaScript alert executes showing `document.domain`.\n\nThe generated HTML contains the unescaped tag:\n\n```html\n\u003ctd\u003e\u003cfont class=body\u003eThe String literal \"\u003cimg src=x onerror=alert(document.domain)\u003e\" appears 4 times in this file\u003c/font\u003e\u003c/td\u003e\n```\n\nTested and confirmed on PMD 7.22.0-SNAPSHOT (commit bcc646c53d).\n\n### Impact\nStored cross-site scripting (XSS). Affects CI/CD pipelines that run PMD with `--format vbhtml` or `--format yahtml` on untrusted source code (e.g., pull requests from external contributors) and expose the HTML report as a build artifact. JavaScript executes in the browser context of anyone who opens the report.\n\nPractical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format has a similar issue with user messages from suppressed violations.\n\n### Fixes\n* See [#6475](https://github.com/pmd/pmd/issues/6475): \\[core] Fix stored XSS in VBHTMLRenderer and YAHTMLRenderer",
  "id": "GHSA-8rr6-2qw5-pc7r",
  "modified": "2026-02-28T02:49:29Z",
  "published": "2026-02-28T02:49:29Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28338"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pmd/pmd/pull/6475"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pmd/pmd"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.