advisory-database/advisories/unreviewed/2026/05/GHSA-2f3m-j83v-344c/GHSA-2f3m-j83v-344c.json at aacedba87b4e4cf642e833d83ef97bdba7198968 · github/advisory-database · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
{
  "schema_version": "1.4.0",
  "id": "GHSA-2f3m-j83v-344c",
  "modified": "2026-05-16T06:30:40Z",
  "published": "2026-05-16T06:30:29Z",
  "aliases": [
    "CVE-2026-8656"
  ],
  "summary": "Cross-site Scripting (XSS) in jsondiffpatch Annotated Formatter",
  "details": "### Summary\nVersions of the package `jsondiffpatch` before 0.7.6 are vulnerable to Cross-site Scripting (XSS) when using the annotated formatter. The vulnerability occurs because the annotated formatter component does not properly escape or sanitize JSON property names and property values before interpolating them into HTML strings intended for DOM insertion.\n\n### Impact\nIf an application accepts untrusted, user-controlled JSON or object data, compares it using `jsondiffpatch`, and renders the resulting diff using the annotated formatter in a browser context, an attacker can execute arbitrary JavaScript. By crafting a JSON payload containing malicious HTML tags or attributes (e.g., `<script>` elements or `onload`/`onerror` handlers) in either the keys or the values, the payload will be interpreted and executed by the browser.\n\n### Remediation\nUpgrade the `jsondiffpatch` package to version **0.7.6** or later, which introduces proper escaping for HTML characters during rendering.",
  "severity": [
    {
      "type": "CVSS_V3",
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "jsondiffpatch"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "= 0.7.6"
            }
          ]
        }
      ],
      "database_specific": {
        "last_known_affected_version_range": "< 0.7.6"
      }
    }
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8656"
    },
    {
      "type": "WEB",
      "url": "https://github.com/benjamine/jsondiffpatch/commit/232338b97d264f331f4fcbc622ee13c19b0ce2fc"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/yuki-matsuhashi/72ed072d919f3c52adba298faa6a7da5"
    },
    {
      "type": "WEB",
      "url": "https://security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-16635946"
    }
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-16T06:16:18Z"
  }
}