Cross-site scripting (XSS) in jsondiffpatch library versions before 0.7.6 allows remote attackers to inject malicious HTML/JavaScript through crafted JSON property names or values when the annotated formatter output is rendered in a browser. The vulnerability enables attackers to execute arbitrary client-side code in victim browsers when applications compare untrusted JSON data and display formatted diffs to users. Publicly available exploit code exists (EPSS not provided in data, no CISA KEV listing), with fix version 0.7.6 confirmed via vendor advisory and GitHub commit 232338b34.
XSS
Jsondiffpatch
NVD
GitHub
VulDB
CVSS 4.0
2.0
EPSS
0.0%