Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: python314Packages.pmdsky-debug-py

Found 1 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-28338
6.8 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV): NETWORK
  • Attack complexity (AC): HIGH
  • Privileges required (PR): NONE
  • User interaction (UI): REQUIRED
  • Scope (S): UNCHANGED
  • Confidentiality impact (C): HIGH
  • Integrity impact (I): HIGH
  • Availability impact (A): NONE
created 1 month, 4 weeks ago Activity log
  • Created suggestion 1 month, 4 weeks ago
PMD Designer has Stored XSS in VBHTMLRenderer and YAHTMLRenderer via unescaped violation messages

PMD is an extensible multilanguage static code analyzer. Prior to version 7.22.0, PMD's `vbhtml` and `yahtml` report formats insert rule violation messages into HTML output without escaping. When PMD analyzes untrusted source code containing crafted string literals, the generated HTML report contains executable JavaScript that runs when opened in a browser. Practical impact is limited because `vbhtml` and `yahtml` are legacy formats rarely used in practice. The default `html` format is properly escaped and not affected. Version 7.22.0 contains a fix for the issue.

Affected products

pmd
  • ==< 7.22.0

Matching in nixpkgs

pkgs.pmd

Extensible cross-language static code analyzer

pkgs.python312Packages.pmdarima

Statistical library designed to fill the void in Python's time series analysis capabilities, including the equivalent of R's auto.arima function

pkgs.python313Packages.pmdarima

Statistical library designed to fill the void in Python's time series analysis capabilities, including the equivalent of R's auto.arima function

pkgs.python314Packages.pmdarima

Statistical library designed to fill the void in Python's time series analysis capabilities, including the equivalent of R's auto.arima function

Package maintainers