Skip to main content

jsondiffpatch CVE-2026-8656

| EUVDEUVD-2026-30671 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-05-16 snyk GHSA-2f3m-j83v-344c
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Severity Changed
May 16, 2026 - 06:22 NVD
MEDIUM LOW
CVSS changed
May 16, 2026 - 06:22 NVD
6.1 (MEDIUM) 2.0 (LOW)
Patch available
May 16, 2026 - 06:01 EUVD
Source Code Evidence Fetched
May 16, 2026 - 05:42 vuln.today
Analysis Generated
May 16, 2026 - 05:42 vuln.today

DescriptionCVE.org

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM, attacker-controlled HTML can be interpreted by the browser, resulting in XSS.

AnalysisAI

Cross-site scripting (XSS) in jsondiffpatch library versions before 0.7.6 allows remote attackers to inject malicious HTML/JavaScript through crafted JSON property names or values when the annotated formatter output is rendered in a browser. The vulnerability enables attackers to execute arbitrary client-side code in victim browsers when applications compare untrusted JSON data and display formatted diffs to users. Publicly available exploit code exists (EPSS not provided in data, no CISA KEV listing), with fix version 0.7.6 confirmed via vendor advisory and GitHub commit 232338b34.

Technical ContextAI

jsondiffpatch is a JavaScript library (NPM package) for computing differences between JSON objects and rendering those diffs in various formats. The annotated formatter generates HTML output for browser display. Prior to version 0.7.6, this formatter concatenated JSON values and property names directly into HTML strings without sanitization, creating CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerabilities. The fix introduces an htmlEscape() function that encodes HTML metacharacters (&, <, >, ', ") before embedding user-controlled data into HTML context. The vulnerable code paths include text diff spans, object property names, and stringified delta values - all of which could contain attacker-controlled content from compared JSON objects. Applications using this library to compare untrusted external data (user uploads, API responses, database records) and render the annotated HTML output are affected.

RemediationAI

Upgrade jsondiffpatch to version 0.7.6 or later, which introduces HTML entity encoding via the htmlEscape() function applied to all user-controlled data before HTML rendering (vendor-released patch confirmed via GitHub commit 232338b34c4653148ca2f44e897a765b72c8c98f and Snyk advisory SNYK-JS-JSONDIFFPATCH-16635946). For Node.js projects, run 'npm update jsondiffpatch' or 'yarn upgrade jsondiffpatch' and verify package.json reflects >=0.7.6. If immediate upgrade is not feasible, implement server-side output sanitization using a proven HTML sanitizer library (DOMPurify, js-xss) on annotated formatter output before serving to browsers, though this adds latency and complexity. Alternatively, switch to non-HTML formatters (console, json) if visual diff rendering is not required, though this sacrifices user experience. Content Security Policy (CSP) with 'unsafe-inline' restrictions can limit but not eliminate XSS impact, as attackers may inject data exfiltration or UI redress attacks not requiring script execution. Review application code to identify all locations invoking annotatedFormatter.format() on untrusted data and prioritize patching those code paths first.

Share

CVE-2026-8656 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy