From aacedba87b4e4cf642e833d83ef97bdba7198968 Mon Sep 17 00:00:00 2001
From: Vendeta <VZVendeta@hotmail.com>
Date: Sat, 16 May 2026 15:35:05 +0300
Subject: [PATCH] Improve GHSA-2f3m-j83v-344c

---
 .../GHSA-2f3m-j83v-344c.json                  | 36 ++++++++++++++-----
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/advisories/unreviewed/2026/05/GHSA-2f3m-j83v-344c/GHSA-2f3m-j83v-344c.json b/advisories/unreviewed/2026/05/GHSA-2f3m-j83v-344c/GHSA-2f3m-j83v-344c.json
index d1b763726dece..b5d18defa0c2b 100644
--- a/advisories/unreviewed/2026/05/GHSA-2f3m-j83v-344c/GHSA-2f3m-j83v-344c.json
+++ b/advisories/unreviewed/2026/05/GHSA-2f3m-j83v-344c/GHSA-2f3m-j83v-344c.json
@@ -1,23 +1,43 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2f3m-j83v-344c",
-  "modified": "2026-05-16T06:30:29Z",
+  "modified": "2026-05-16T06:30:40Z",
   "published": "2026-05-16T06:30:29Z",
   "aliases": [
     "CVE-2026-8656"
   ],
-  "details": "Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON values and property names. If an application compares untrusted JSON/object data and renders annotated formatter output in the DOM, attacker-controlled HTML can be interpreted by the browser, resulting in XSS.",
+  "summary": "Cross-site Scripting (XSS) in jsondiffpatch Annotated Formatter",
+  "details": "### Summary\nVersions of the package `jsondiffpatch` before 0.7.6 are vulnerable to Cross-site Scripting (XSS) when using the annotated formatter. The vulnerability occurs because the annotated formatter component does not properly escape or sanitize JSON property names and property values before interpolating them into HTML strings intended for DOM insertion.\n\n### Impact\nIf an application accepts untrusted, user-controlled JSON or object data, compares it using `jsondiffpatch`, and renders the resulting diff using the annotated formatter in a browser context, an attacker can execute arbitrary JavaScript. By crafting a JSON payload containing malicious HTML tags or attributes (e.g., `<script>` elements or `onload`/`onerror` handlers) in either the keys or the values, the payload will be interpreted and executed by the browser.\n\n### Remediation\nUpgrade the `jsondiffpatch` package to version **0.7.6** or later, which introduces proper escaping for HTML characters during rendering.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
-    },
+    }
+  ],
+  "affected": [
     {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "package": {
+        "ecosystem": "npm",
+        "name": "jsondiffpatch"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "= 0.7.6"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 0.7.6"
+      }
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -25,7 +45,7 @@
     },
     {
       "type": "WEB",
-      "url": "https://github.com/benjamine/jsondiffpatch/commit/232338b34c4653148ca2f44e897a765b72c8c98f"
+      "url": "https://github.com/benjamine/jsondiffpatch/commit/232338b97d264f331f4fcbc622ee13c19b0ce2fc"
     },
     {
       "type": "WEB",
@@ -40,7 +60,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": "LOW",
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-05-16T06:16:18Z"