Home > Vulnerability Database > CVE-2025-9910

Mend.io Vulnerability Database

CVE-2025-9910

Good to know:

Date: September 11, 2025

Versions of the package jsondiffpatch before 0.7.2 are vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin. An attacker can inject malicious scripts into HTML payloads that may lead to code execution if untrusted payloads were used as source for the diff, and the result renderer using the built-in html formatter on a private website.

Severity Score

4.7

Related Resources (6)

Url: https://github.com/benjamine/jsondiffpatch/commit/0e374b5dd8d7879b329a9fc18affbd46ad50dd14

Url: https://benjamine.github.io/jsondiffpatch/index.html

Url: https://github.com/benjamine/jsondiffpatch

Url: https://github.com/benjamine/jsondiffpatch/issues/383

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-9910

Url: https://www.mend.io/vulnerability-database/CVE-2025-9910

Severity Score

4.7

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Top Fix

Upgrade Version

Upgrade to version jsondiffpatch - 0.7.2;jsondiffpatch - 0.7.2;jsondiffpatch - 0.7.2;jsondiffpatch - 0.7.2

Learn More

CVSS v3.1

Base Score:	4.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2025-9910

Good to know:

Date: September 11, 2025

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?