Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM, attacker-controlled HTML can be interpreted by the browser, resulting in XSS.
AnalysisAI
Cross-site scripting (XSS) in jsondiffpatch library versions before 0.7.6 allows remote attackers to inject malicious HTML/JavaScript through crafted JSON property names or values when the annotated formatter output is rendered in a browser. The vulnerability enables attackers to execute arbitrary client-side code in victim browsers when applications compare untrusted JSON data and display formatted diffs to users. Publicly available exploit code exists (EPSS not provided in data, no CISA KEV listing), with fix version 0.7.6 confirmed via vendor advisory and GitHub commit 232338b34.
Technical ContextAI
jsondiffpatch is a JavaScript library (NPM package) for computing differences between JSON objects and rendering those diffs in various formats. The annotated formatter generates HTML output for browser display. Prior to version 0.7.6, this formatter concatenated JSON values and property names directly into HTML strings without sanitization, creating CWE-79 (Improper Neutralization of Input During Web Page Generation) vulnerabilities. The fix introduces an htmlEscape() function that encodes HTML metacharacters (&, <, >, ', ") before embedding user-controlled data into HTML context. The vulnerable code paths include text diff spans, object property names, and stringified delta values - all of which could contain attacker-controlled content from compared JSON objects. Applications using this library to compare untrusted external data (user uploads, API responses, database records) and render the annotated HTML output are affected.
RemediationAI
Upgrade jsondiffpatch to version 0.7.6 or later, which introduces HTML entity encoding via the htmlEscape() function applied to all user-controlled data before HTML rendering (vendor-released patch confirmed via GitHub commit 232338b34c4653148ca2f44e897a765b72c8c98f and Snyk advisory SNYK-JS-JSONDIFFPATCH-16635946). For Node.js projects, run 'npm update jsondiffpatch' or 'yarn upgrade jsondiffpatch' and verify package.json reflects >=0.7.6. If immediate upgrade is not feasible, implement server-side output sanitization using a proven HTML sanitizer library (DOMPurify, js-xss) on annotated formatter output before serving to browsers, though this adds latency and complexity. Alternatively, switch to non-HTML formatters (console, json) if visual diff rendering is not required, though this sacrifices user experience. Content Security Policy (CSP) with 'unsafe-inline' restrictions can limit but not eliminate XSS impact, as attackers may inject data exfiltration or UI redress attacks not requiring script execution. Review application code to identify all locations invoking annotatedFormatter.format() on untrusted data and prioritize patching those code paths first.
More in Jsondiffpatch
View allSame weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30671
GHSA-2f3m-j83v-344c