📄 Description (English)
PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.
🤖 AI Executive Summary
PMD versions prior to 7.22.0 contain a stored XSS vulnerability in legacy `vbhtml` and `yahtml` report formats that fail to escape rule violation messages. When analyzing untrusted code, crafted string literals can inject executable JavaScript into HTML reports. While practical impact is limited due to legacy format usage, organizations using these formats face potential code execution risks when reports are shared or opened in browsers.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 10, 2026 14:36
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using PMD for code analysis—particularly in government IT departments, financial services, and telecommunications sectors—face XSS risks if they utilize legacy `vbhtml` or `yahtml` report formats. Impact is most significant for organizations analyzing third-party or untrusted source code (outsourced development, open-source dependencies). Banking sector (SAMA-regulated) and government agencies (NCA oversight) using these formats could face compliance violations if malicious code execution occurs during security assessments. Telecom operators (STC, Mobily) and energy sector developers may be affected if PMD is part of their DevSecOps pipelines.
🏢 Affected Saudi Sectors
Government (NCA-regulated agencies)
Banking & Financial Services (SAMA-regulated)
Telecommunications (STC, Mobily, Zain)
Energy & Utilities (ARAMCO, SEC)
Healthcare (MOH-regulated)
Software Development & IT Services
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
5.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all PMD installations across your organization using `find / -name 'pmd*' -type d` or check build pipelines
2. Audit which report formats are configured—search build scripts and CI/CD configurations for `vbhtml` or `yahtml` parameters
3. If legacy formats are in use, immediately switch to the default `html` format (properly escaped) or `json`/`xml` formats
4. Review all existing HTML reports generated with legacy formats; do not open in browsers if analyzing untrusted code
Patching Guidance:
1. Upgrade PMD to version 7.22.0 or later immediately
2. Update build tool integrations (Maven, Gradle, SonarQube plugins) to use patched PMD version
3. Verify patch installation: `pmd --version` should show 7.22.0+
Compensating Controls (if upgrade delayed):
1. Disable `vbhtml` and `yahtml` report generation in all build configurations
2. Restrict HTML report access to trusted internal networks only
3. Implement Content Security Policy (CSP) headers if reports served via web interface
4. Use sandboxed environments for opening PMD reports from untrusted code analysis
Detection Rules:
1. Monitor for PMD invocations with `-f vbhtml` or `-f yahtml` parameters in logs
2. Alert on HTML report generation from analysis of external/third-party code
3. Search existing reports for `<script>` tags or JavaScript event handlers in violation messages
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. حدد جميع تثبيتات PMD عبر مؤسستك باستخدام `find / -name 'pmd*' -type d` أو تحقق من خطوط الأنابيب
2. تدقيق صيغ التقارير المكونة—ابحث في سكريبتات البناء وتكوينات CI/CD عن معاملات `vbhtml` أو `yahtml`
3. إذا كانت الصيغ القديمة قيد الاستخدام، قم بالتبديل فوراً إلى صيغة `html` الافتراضية (مهروبة بشكل صحيح) أو صيغ `json`/`xml`
4. راجع جميع تقارير HTML الموجودة المُنشأة بصيغ قديمة؛ لا تفتحها في المتصفحات عند تحليل أكواد غير موثوقة
إرشادات التصحيح:
1. قم بترقية PMD إلى الإصدار 7.22.0 أو أحدث فوراً
2. حدّث تكاملات أدوات البناء (Maven و Gradle وملحقات SonarQube) لاستخدام إصدار PMD المصحح
3. تحقق من تثبيت التصحيح: `pmd --version` يجب أن يعرض 7.22.0+
الضوابط البديلة (إذا تأخر الترقية):
1. عطّل إنشاء تقارير `vbhtml` و`yahtml` في جميع تكوينات البناء
2. قيّد الوصول إلى تقارير HTML للشبكات الداخلية الموثوقة فقط
3. طبّق رؤوس سياسة أمان المحتوى (CSP) إذا تم تقديم التقارير عبر واجهة ويب
4. استخدم بيئات معزولة لفتح تقارير PMD من تحليل الأكواس الخارجية
قواعد الكشف:
1. راقب استدعاءات PMD بمعاملات `-f vbhtml` أو `-f yahtml` في السجلات
2. تنبيهات عند إنشاء تقارير HTML من تحليل الأكواد الخارجية/الطرف الثالث
3. ابحث في التقارير الموجودة عن علامات `<script>` أو معالجات أحداث JavaScript في رسائل الانتهاكات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Secure development policy (code analysis security)
ECC 2024 A.14.2.5 - Access control for development tools
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.BE-3.2 - Organizational resilience (secure development practices)
SAMA CSF PR.DS-6 - Data is protected from unauthorized access (code analysis outputs)
SAMA CSF DE.CM-1 - Detection processes and tools (vulnerability scanning)
🟡 ISO 27001:2022
ISO 27001:2022 A.8.2.3 - Segregation of development, test and production environments
ISO 27001:2022 A.14.2.1 - Information security requirements analysis and specification
ISO 27001:2022 A.14.2.5 - Secure development environment
🟣 PCI DSS v4.0.1
PCI DSS 6.3.2 - Review of custom code prior to release (secure code analysis)
PCI DSS 6.5.1 - Injection flaws prevention (XSS in development tools)
🔗 References & Sources 3
🔗
https://github.com/pmd/pmd/commit/c140c0e1de5853a08efb84c9f91dfeb015882442
security-advisories@github.com
Patch
🔗
https://github.com/pmd/pmd/pull/6475
security-advisories@github.com
Issue Tracking
Patch
🔗
https://github.com/pmd/pmd/security/advisories/GHSA-8rr6-2qw5-pc7r
security-advisories@github.com
Exploit
Patch
Vendor Advisory
📦 Affected Products / CPE 1 entries
pmd_project:pmd