Maven package
net.sourceforge.pmd/pmd-core
pkg:maven/net.sourceforge.pmd/pmd-core
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-28338 | — | < 7.22.0 | 7.22.0 | Feb 27, 2026 | PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated | ||
| CVE-2025-23215 | Cri | — | >= 6.21.0, < 7.10.0 | 7.10.0 | Jan 31, 2025 | PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also | |
| CVE-2019-7722 | — | < 6.0.0 | 6.0.0 | Feb 11, 2019 | PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or re |
- CVE-2026-28338Feb 27, 2026affected < 7.22.0fixed 7.22.0
PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated
- affected >= 6.21.0, < 7.10.0fixed 7.10.0
PMD is an extensible multilanguage static code analyzer. The passphrase for the PMD and PMD Designer release signing keys are included in jar published to Maven Central. The private key itself is not known to have been compromised itself, but given its passphrase is, it must also
- CVE-2019-7722Feb 11, 2019affected < 6.0.0fixed 6.0.0
PMD 5.8.1 and earlier processes XML external entities in ruleset files it parses as part of the analysis process, allowing attackers tampering it (either by direct modification or MITM attacks when using remote rulesets) to perform information disclosure, denial of service, or re