CVE-2026-8656 Gist CVE debrief

Who should care

Teams using jsondiffpatch in browser-facing applications, especially code paths that render annotated formatter output from untrusted or user-controlled data. Front-end developers, security engineers, and maintainers of review or diff visualization tools should pay attention.

Technical summary

The vulnerability is tied to the annotated formatter. According to the supplied description, jsondiffpatch before 0.7.6 does not properly sanitize JSON values and property names before formatting them for display. If that formatted output is inserted into the DOM, attacker-controlled HTML can be parsed by the browser and executed as script in the page context. The supplied source corpus maps this to CWE-79 (cross-site scripting).

Defensive priority

Low to moderate. The supplied CVSS severity is LOW, but the issue still matters wherever untrusted data is rendered in a browser. Priority should increase if the affected formatter is used in public-facing or multi-user diff views.

Recommended defensive actions

• Upgrade jsondiffpatch to 0.7.6 or later.
• Audit any use of the annotated formatter for insertion into the DOM.
• Avoid rendering diff output from untrusted JSON/object data without escaping or sanitization.
• Review front-end code for direct HTML insertion paths such as innerHTML or equivalent patterns.
• Add tests that ensure diff output is treated as text or safely escaped before display.

Evidence notes

The description and version threshold come from the supplied CVE record: jsondiffpatch versions before 0.7.6 are vulnerable. The NVD metadata lists the weakness as CWE-79 and includes references to a Snyk report, a Git commit, and a Snyk advisory. The provided vendor metadata is low confidence and marked needsReview, while the vulnerability text clearly points to the jsondiffpatch package.

Official resources