CVE-2026-8657: jsondiffpatch Prototype Pollution Poses High Risk
The National Vulnerability Database has published details on CVE-2026-8657, a high-severity Prototype Pollution vulnerability affecting versions of the jsondiffpatch package prior to 0.7.6. This flaw, rated with a CVSS score of 8.2, stems from the jsondiffpatch.patch() and jsondiffpatch/formatters/jsonpatch.patch() APIs.
Attackers can exploit this by injecting crafted delta or JSON Patch documents. The vulnerability arises because attacker-controlled property names and path segments are used to traverse and modify objects without restricting access to special properties like __proto__ or constructor.prototype. This allows for direct modification of Object.prototype, a critical vector for arbitrary code execution or denial-of-service in JavaScript applications.
For defenders, this is a clear-cut library update. Any application using jsondiffpatch is a potential target. The attacker’s calculus here is simple: find an exposed endpoint that processes jsondiffpatch data, then inject malicious __proto__ modifications to gain control. This isn’t theoretical; Prototype Pollution vulnerabilities consistently lead to serious compromises in real-world scenarios.
What This Means For You
- If your application stack includes the `jsondiffpatch` package, you are directly exposed to CVE-2026-8657. Immediately audit your dependencies and upgrade `jsondiffpatch` to version 0.7.6 or later. This isn't a vulnerability to defer – Prototype Pollution can lead to full system compromise.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-8657: jsondiffpatch Prototype Pollution via crafted delta
title: CVE-2026-8657: jsondiffpatch Prototype Pollution via crafted delta
id: scw-2026-05-16-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit CVE-2026-8657 by sending requests containing '__proto__' within the URI query parameters, indicative of a prototype pollution attempt targeting the jsondiffpatch library. This rule specifically looks for the presence of '/jsondiffpatch' in the URI and '__proto__' in the query string, which are key indicators of this vulnerability exploitation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-16
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-8657/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/jsondiffpatch'
cs-uri-query|contains:
- '__proto__'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-8657 | Prototype Pollution | jsondiffpatch package versions before 0.7.6 |
| CVE-2026-8657 | Prototype Pollution | jsondiffpatch.patch() API |
| CVE-2026-8657 | Prototype Pollution | jsondiffpatch/formatters/jsonpatch.patch() API |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 16, 2026 at 09:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8656 — Cross-Site Scripting (XSS)
CVE-2026-8656 — Versions of the package jsondiffpatch before 0.7.6 are vulnerable to Cross-site Scripting (XSS) via the annotated formatter due to improper sanitization of JSON...
CVE-2026-8681 — The Essential Chat Support plugin for WordPress is
CVE-2026-8681 — The Essential Chat Support plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 1.0.1. This is due...
Open WebUI XSS Allows Privilege Escalation to Super Admin
CVE-2026-45665 — Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.8.0, a Stored Cross-Site Scripting (XSS) vulnerability exists...