CVE-2025-9910 MEDIUM

CVE-2025-9910

Vendor N/A
Product jsondiffpatch
Weakness CWE-79 · XSS
Published September 11, 2025
Last update September 11, 2025

CVSS base score

4.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N/E:P

What the vulnerability does

01Description

Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.

Key dates

02Disclosure timeline

September 11, 2025 CVE published
September 11, 2025 Record updated

Related vulnerabilities

04Related CVE