CVE-2026-28338

Summary

PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages

Severity

medium

EPSS

0.3% (p21)

Also known as

GHSA-8rr6-2qw5-pc7r

Published

2026-02-28

References

• https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
• https://nvd.nist.gov/vuln/detail/CVE-2026-28338
• https://github.com/pmd/pmd/pull/6475

Related advisories

• CVE-2025-23215 — critical · Maven/net.sourceforge.pmd:pmd-core

Is your project exposed to this? Stateward checks every dependency on every pull request and flags it only if your code actually reaches it.

Summarize with AI

ChatGPTClaudePerplexity