Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

jsondiffpatch

Source -

CNA

CNA CVEs -

3

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
3Vulnerabilities found
CVE-2026-8657
Assigner-Snyk
ShareView Details
Assigner-Snyk
CVSS Score-8.8||HIGH
EPSS-0.37% / 28.69%
||
7 Day CHG~0.00%
Published-16 May, 2026 | 05:00
Updated-19 May, 2026 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, allowing modification of Object.prototype.

Action-Not Available
Vendor-n/a
Product-jsondiffpatch
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CVE-2026-8656
Assigner-Snyk
ShareView Details
Assigner-Snyk
CVSS Score-5.1||MEDIUM
EPSS-0.19% / 8.89%
||
7 Day CHG~0.00%
Published-16 May, 2026 | 05:00
Updated-19 May, 2026 | 15:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM, attacker-controlled HTML can be interpreted by the browser, resulting in XSS.

Action-Not Available
Vendor-n/a
Product-jsondiffpatch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-9910
Assigner-Snyk
ShareView Details
Assigner-Snyk
CVSS Score-2.3||LOW
EPSS-0.28% / 19.56%
||
7 Day CHG~0.00%
Published-11 Sep, 2025 | 05:00
Updated-11 Sep, 2025 | 17:14
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.

Action-Not Available
Vendor-n/a
Product-org.webjars.bower:jsondiffpatchjsondiffpatchorg.webjars.npm:jsondiffpatch
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')