Benjamín Eidelman

3 exploits Active since Sep 2025
CVE-2026-8656 WRITEUP MEDIUM WRITEUP
Jsondiffpatch < 0.7.6 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM, attacker-controlled HTML can be interpreted by the browser, resulting in XSS.
CVSS 6.1
CVE-2026-8657 WRITEUP HIGH WRITEUP
Jsondiffpatch < 0.7.6 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Prototype Pollution via the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs. An attacker can perform prototype pollution by supplying crafted delta or JSON Patch documents, as attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype, allowing modification of Object.prototype.
CVSS 8.2
CVE-2025-9910 WRITEUP MEDIUM WRITEUP
jsondiffpatch < 0.7.2 - Cross-Site Scripting via HtmlFormatter::nodeBegin
Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.
CVSS 4.7