CVE-2026-8656: Cross-site Scripting (XSS) in jsondiffpatch
jsondiffpatch versions before 0. 7. 6 contain a Cross-site Scripting (XSS) vulnerability in the annotated formatter due to improper sanitization of JSON values and property names. This flaw allows attacker-controlled HTML to be executed in the browser if untrusted JSON data is compared and the annotated formatter output is rendered in the DOM. The vulnerability has a medium severity with a CVSS score of 5. 1. No official patch or remediation level has been confirmed yet. There are no known exploits in the wild at this time.
AI Analysis
Technical Summary
CVE-2026-8656 is a Cross-site Scripting vulnerability affecting jsondiffpatch versions prior to 0.7.6. The issue arises from improper sanitization of JSON values and property names in the annotated formatter feature. When applications use this formatter to display differences between JSON objects that include untrusted data, malicious HTML can be injected and executed in the browser context. This vulnerability has a CVSS 4.0 base score of 5.1, indicating medium severity. No official patch or vendor advisory detailing remediation is currently available, and the package is not a cloud service.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary HTML or script code in the context of the victim's browser when viewing annotated formatter output generated from untrusted JSON data. This can lead to typical XSS impacts such as session hijacking or content manipulation. However, exploitation requires that the vulnerable feature be used to render attacker-controlled JSON data in the DOM. There are no known active exploits reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid rendering annotated formatter output in the DOM with untrusted JSON data or implement manual sanitization of JSON values and property names before rendering. Monitor vendor channels for updates regarding patches or official mitigations.
CVE-2026-8656: Cross-site Scripting (XSS) in jsondiffpatch
Description
jsondiffpatch versions before 0. 7. 6 contain a Cross-site Scripting (XSS) vulnerability in the annotated formatter due to improper sanitization of JSON values and property names. This flaw allows attacker-controlled HTML to be executed in the browser if untrusted JSON data is compared and the annotated formatter output is rendered in the DOM. The vulnerability has a medium severity with a CVSS score of 5. 1. No official patch or remediation level has been confirmed yet. There are no known exploits in the wild at this time.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-8656 is a Cross-site Scripting vulnerability affecting jsondiffpatch versions prior to 0.7.6. The issue arises from improper sanitization of JSON values and property names in the annotated formatter feature. When applications use this formatter to display differences between JSON objects that include untrusted data, malicious HTML can be injected and executed in the browser context. This vulnerability has a CVSS 4.0 base score of 5.1, indicating medium severity. No official patch or vendor advisory detailing remediation is currently available, and the package is not a cloud service.
Potential Impact
Successful exploitation could allow an attacker to execute arbitrary HTML or script code in the context of the victim's browser when viewing annotated formatter output generated from untrusted JSON data. This can lead to typical XSS impacts such as session hijacking or content manipulation. However, exploitation requires that the vulnerable feature be used to render attacker-controlled JSON data in the DOM. There are no known active exploits reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, avoid rendering annotated formatter output in the DOM with untrusted JSON data or implement manual sanitization of JSON values and property names before rendering. Monitor vendor channels for updates regarding patches or official mitigations.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- snyk
- Date Reserved
- 2026-05-15T06:27:53.788Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a07ff1cec166c07b05e5fd2
Added to database: 5/16/2026, 5:22:36 AM
Last enriched: 5/16/2026, 5:36:44 AM
Last updated: 5/16/2026, 8:08:44 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.