CVE-2026-22028

Name of the Vulnerable Software and Affected Versions Preact versions 10.26.5 through 10.26.9 Preact versions 10.27.0 through 10.27.2 Preact versions 10.28.0 through 10.28.1

Description Preact, a lightweight web development framework, has an issue with JSON serialization protection. A regression introduced in version 10.26.5 softened this protection, potentially allowing the construction of Virtual DOM elements from arbitrary JSON. If applications pass unmodified, unsanitized values from user-modifiable data sources (like APIs, databases, or local storage) directly into the render tree, and these values are incorrectly assumed to be strings but are actually JavaScript objects, a specially crafted JSON payload could be treated as a valid VNode. This can lead to HTML injection, potentially enabling arbitrary script execution if not mitigated by Content Security Policy (CSP) or other security measures. The issue occurs when a data source fails to perform type sanitization or is compromised.

Recommendations Preact versions 10.26.5 through 10.26.9 should be upgraded to version 10.26.10. Preact versions 10.27.0 through 10.27.2 should be upgraded to version 10.27.3. Preact versions 10.28.0 through 10.28.1 should be upgraded to version 10.28.2. Validate input types to ensure data conforms to expected formats. Cast or validate network data before using it in the render tree. Sanitize external data to remove potentially harmful characters or code. Implement Content Security Policy (CSP) to mitigate the risk of script execution.