This vulnerability exists in versions of the jsondiffpatch JavaScript library older than 0.7.6. The annotated formatter component fails to sanitize JSON values and property names before rendering them into the browser DOM. An attacker can supply malicious JSON that contains embedded HTML or JavaScript, causing the formatter output to be processed as real markup and executing the injected code in the context of any user viewing the page. The weakness aligns with CWE‑79, which denotes Cross‑Site Scripting flaws.

Any web application or front‑end project that uses the jsondiffpatch library and renders the annotated formatter output in a browser is susceptible. Versions of the library released prior to 0.7.6 are affected. The vendor is the open‑source jsondiffpatch project. The problem does not apply to releases 0.7.6 and later. The list of specific distributors or products is not available, but the default library name should suffice for identification.

The CVSS score of 5.1 indicates a medium‑severity vulnerability, while the EPSS score is not available, suggesting that the exploitation probability may not yet be well known. The vulnerability is not currently listed in the CISA KEV catalog. The implication is a typical cross‑site scripting scenario that could be leveraged if an attacker can insert malicious JSON into a page that performs annotation. Therefore, the attack could arise from user‑controlled input that is diffed and displayed, or from a compromised script that generates JSON for the formatter. The impact is limited to the browser context and depends on whether the page allows privileged actions or could be tricked into revealing sensitive data. The overall risk is moderate, but mitigations should be applied promptly due to the ubiquity of JSON diffing in web applications.