CVE-2026-22028
Unknown Unknown - Not Provided
HTML Injection via JSON Deserialization Flaw in Preact VNode Rendering

Publication date: 2026-01-08

Last updated on: 2026-01-08

Assigner: GitHub, Inc.

Description
Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-08
Last Modified
2026-01-08
Generated
2026-05-07
AI Q&A
2026-01-08
EPSS Evaluated
2026-05-05
NVD
CVE-2026-22028
EUVD
EUVD-2026-1184
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
preact preact From 10.26.5 (inc) to 10.28.1 (inc)
preact preact 10.26.10
preact preact 10.27.3
preact preact 10.28.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-843 The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Preact versions 10.26.5 through 10.28.1 is caused by a regression that weakened JSON serialization protections. It allows specially crafted JSON payloads containing JavaScript objects, instead of expected strings, to be incorrectly interpreted as valid Virtual DOM nodes (VNodes). This happens when applications pass unmodified, unsanitized user-controllable data directly into the render tree, assuming the data are strings. The result can be HTML injection, potentially leading to arbitrary script execution if not mitigated by Content Security Policy (CSP) or other defenses. [1]


How can this vulnerability impact me? :

If exploited, this vulnerability can lead to HTML injection and arbitrary script execution within affected applications. This can compromise the security of the application and its users by allowing attackers to run malicious scripts, potentially leading to data theft, session hijacking, or other malicious activities. The vulnerability requires insecure API design or compromised data sources to be exploitable. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves identifying if your application uses affected Preact versions (10.26.5 through 10.28.1) and whether it passes unmodified, unsanitized user-controllable data assumed to be strings directly into the render tree. You can check your installed Preact version using npm commands such as 'npm list preact' or 'npm ls preact'. Additionally, audit your application code for places where JSON payloads are parsed and passed to Preact without type validation or sanitization. There are no specific network commands provided for detection, but reviewing logs or monitoring for unusual HTML injection or script execution behavior may help identify exploitation attempts. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading Preact to patched versions 10.26.10, 10.27.3, or 10.28.2 which restore strict equality checks preventing JSON-parsed objects from being treated as valid VNodes. If upgrading is not immediately possible, implement strict input validation to reject arbitrary objects, enforce strict type contracts at API boundaries, cast or validate network data before rendering, sanitize all external data sources, and apply a strict Content Security Policy (CSP) to prevent inline script execution. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart