CVE-2026-8656

Published: May 16, 2026

Modified: May 18, 2026

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM, attacker-controlled HTML can be interpreted by the browser, resulting in XSS.

Vendor	Product	Versions
n/a	jsondiffpatch	affected `0 - < 0.7.6`

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

https://security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-16635946

https://gist.github.com/yuki-matsuhashi/72ed072d919f3c52adba298faa6a7da5

https://github.com/benjamine/jsondiffpatch/commit/232338b34c4653148ca2f44e897a765b72c8c98f

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-8656

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References