Cross-site Scripting Vulnerability in jsondiffpatch Affects Various Applications
CVE-2026-8656

5.1MEDIUM

Key Information:

Vendor: benjamine
Status: Jsondiffpatch
Vendor: CVE Published:; 16 May 2026

What is CVE-2026-8656?

Versions of jsondiffpatch prior to 0.7.6 exhibit a Cross-site Scripting (XSS) vulnerability due to inadequate sanitization of JSON values and property names within the annotated formatter. When applications process untrusted JSON or object data and display the formatted output in the DOM, there is a risk that attacker-controlled HTML may be executed by the browser, which could lead to significant security breaches.

Affected Version(s)

jsondiffpatch 0 < 0.7.6

References

https://security.snyk.io/vuln/SNYK-JS-JSONDIFFPATCH-16635946

https://gist.github.com/yuki-matsuhashi/72ed072d919f3c52a...

https://github.com/benjamine/jsondiffpatch/commit/232338b...

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 16, 2026
Vulnerability Reserved
May 15, 2026

Credit

Yuki Matsuhashi

CVE-2026-8656 Data

JSON