CVE-2026-8656 Overview
CVE-2026-8656 is a Cross-site Scripting (XSS) vulnerability affecting the jsondiffpatch JavaScript package in versions before 0.7.6. The flaw resides in the annotated formatter, which fails to properly sanitize JSON values and property names before rendering them in the Document Object Model (DOM). Applications that compare untrusted JSON or object data and render the annotated formatter output expose users to attacker-controlled HTML execution. The weakness is classified under CWE-79.
Critical Impact
Attacker-controlled HTML embedded in JSON keys or values is interpreted by the browser, enabling script execution in the context of the hosting application.
Affected Products
- jsondiffpatch npm package versions prior to 0.7.6
- Web applications that render annotated formatter output from untrusted JSON inputs
- Downstream libraries and tooling that embed the jsondiffpatch annotated formatter
Discovery Timeline
- 2026-05-16 - CVE-2026-8656 published to the National Vulnerability Database (NVD)
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8656
Vulnerability Analysis
The jsondiffpatch library provides utilities for computing and visualizing differences between JSON documents. The annotated formatter generates an HTML representation of a diff so developers can inspect changes in the browser. The vulnerability stems from the formatter concatenating JSON property names and values directly into HTML output without escaping HTML metacharacters.
When an application feeds untrusted input through the formatter and inserts the result into the DOM, the browser parses any embedded <script>, <img>, or event-handler markup as HTML rather than text. The result is a stored or reflected XSS condition, depending on how the host application transports the JSON. Exploitation requires user interaction, since the malicious markup only executes once the rendered diff is displayed.
According to the Snyk advisory and the upstream fix in commit 232338b34c4653148ca2f44e897a765b72c8c98f, the maintainer addressed the issue in version 0.7.6 by escaping output rendered by the annotated formatter. The EPSS probability for in-the-wild exploitation is 0.029%.
Root Cause
The annotated formatter performs string interpolation of JSON keys and values into HTML fragments without HTML entity encoding. Special characters such as <, >, ", and ' retain their syntactic meaning when inserted into the DOM, allowing attacker-supplied markup to break out of the intended text context.
Attack Vector
An attacker submits crafted JSON containing HTML or JavaScript payloads in object keys or string values. When the receiving application invokes the annotated formatter and inserts the resulting HTML into the page, the browser executes the injected payload. Typical scenarios include diff viewers for user-submitted documents, configuration auditing tools, and collaborative editors. Reference proof-of-concept payloads are documented in the GitHub Gist PoC.
Detection Methods for CVE-2026-8656
Indicators of Compromise
- Unexpected <script> tags, onerror attributes, or javascript: URIs appearing in stored JSON documents that flow through diff views.
- Browser console errors or Content Security Policy (CSP) violations originating from pages rendering diff output.
- Outbound network requests from user browsers to attacker-controlled hosts immediately after viewing diff pages.
Detection Strategies
- Inventory dependencies with npm ls jsondiffpatch or equivalent Software Composition Analysis (SCA) tooling to identify versions earlier than 0.7.6.
- Review application code for calls to the annotated formatter (format from jsondiffpatch/formatters/annotated) handling untrusted input.
- Inspect web server and Web Application Firewall (WAF) logs for JSON request bodies containing HTML tags or event handler attributes.
Monitoring Recommendations
- Enable and monitor CSP violation reports to catch inline script execution attempts in diff-rendering pages.
- Alert on anomalous DOM mutations or script injections via Real User Monitoring (RUM) or browser telemetry.
- Track outbound requests from authenticated user sessions to unrecognized domains following diff-page activity.
How to Mitigate CVE-2026-8656
Immediate Actions Required
- Upgrade jsondiffpatch to version 0.7.6 or later across all applications and build pipelines.
- Audit web views that render diff output and confirm they consume the patched library.
- Apply or tighten Content Security Policy headers to block inline script execution as a defense-in-depth control.
Patch Information
The fix is committed upstream at GitHub Commit 232338b and released in jsondiffpatch@0.7.6. Additional remediation guidance is available in the Snyk Vulnerability Report.
Workarounds
- Avoid passing untrusted JSON directly to the annotated formatter, or sanitize keys and values with an HTML-escaping function before rendering.
- Render diff output inside a sandboxed iframe with a strict CSP that disallows inline scripts and external resources.
- Replace the annotated formatter with a text-only or JSON-tree formatter that does not emit raw HTML for untrusted comparisons.
# Configuration example
npm install jsondiffpatch@^0.7.6
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
