PMD is a static‑code analysis tool that can output rule violations in several formats. In releases before version 7.22.0 the vbhtml and yahtml reporters inserted violation messages directly into the generated HTML without escaping them. If those reporters process data that contains malicious strings, the resulting report will include executable JavaScript that runs when a user opens the file in a browser. The primary impact is that an attacker who supplies crafted source code and is able to deliver the resulting report to a browser session can run arbitrary code with the privileges of the browser user. Affected systems are installations of PMD before 7.22.0 that use the legacy vbhtml or yahtml report formats. The default html format is not affected, and the legacy formats are rarely used in current environments. The vulnerability is identified as CWE‑79 (Cross‑Site Scripting).

PMD is a static code analysis tool provided by PMD. The vulnerability affects versions of PMD prior to 7.22.0 that generate code‑analysis reports using the legacy vbhtml or yahtml formats. The root of the issue is the unescaped inclusion of rule violation messages into the generated HTML; any PMD installation that uses these formats to process untrusted source code is at risk. The default html format is escaped and safe, so systems that use only the standard html report format are not impacted.

Exploitability is limited to a scenario where an attacker supplies malicious source code to PMD, leading the output report to contain executable JavaScript that runs when opened in a browser. The CVSS score of 6.8 indicates moderate severity, but the EPSS score below 1% and absence from the CISA KEV catalog suggest a low likelihood of widespread exploitation. The legacy vbhtml and yahtml reports are rarely used in contemporary environments, further constraining the attack surface. The impact remains significant for systems that still generate or distribute these outdated reports from untrusted code sources.