Description
Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP).
Published: 2026-01-08
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via JSON VNode injection leading to arbitrary script execution
Action: Immediate Patch
AI Analysis

Impact

Preact implements JSON serialization protection to guard against virtual‑dom elements constructed from arbitrary JSON. A regression introduced in version 10.26.5 relaxed that protection, allowing a specially crafted JSON payload to be interpreted as a valid VNode. If an application renders unsanitized values from user‑modifiable sources directly as children, the flaw can inject HTML that is then interpreted by the browser, enabling arbitrary script execution. The vulnerability is a type‑confusion flaw (CWE‑843) and results in a classic XSS vector.

Affected Systems

The Preact library, developed by preactjs, is affected. Versions beginning with 10.26.5 up to but not including 10.28.2 are vulnerable. The fix is applied in 10.26.10, 10.27.3, and 10.28.2. Any application using Preact within that range and feeding unvalidated JSON payloads into the render tree is at risk.

Risk and Exploitability

The CVSS score of 7.2 indicates high severity. The EPSS score is below 1 %, implying a low current exploitation probability. The vulnerability is not listed in CISA's KEV catalogue. Exploitation requires an attacker to supply or influence user‑modifiable data (e.g., via APIs, databases, or local storage) that contains objects instead of plain strings and is directly rendered by Preact. If all conditions are met, an attacker can inject arbitrary HTML and scripts, compromising confidentiality, integrity, and availability of the affected application.

Generated by OpenCVE AI on April 18, 2026 at 07:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Preact to version 10.26.10, 10.27.3, or 10.28.2 or newer.
  • Enable a strong Content‑Security‑Policy that blocks inline scripts and restricts script sources.
  • Validate and sanitize all external input before passing it to Preact: ensure values are strings, and reject or convert object payloads.

Generated by OpenCVE AI on April 18, 2026 at 07:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-36hm-qxxp-pg3m Preact has JSON VNode Injection issue
History

Mon, 12 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Preactjs
Preactjs preact
CPEs cpe:2.3:a:preactjs:preact:*:*:*:*:*:node.js:*:*
Vendors & Products Preactjs
Preactjs preact
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 09 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L'}

threat_severity

Important

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
Description Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP).
Title Preact has JSON VNode Injection issue
Weaknesses CWE-843
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Preactjs Preact
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-08T15:55:06.321Z

Reserved: 2026-01-05T22:30:38.718Z

Link: CVE-2026-22028

cve-icon Vulnrichment

Updated: 2026-01-08T14:52:03.379Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-08T15:15:44.853

Modified: 2026-01-12T18:58:38.207

Link: CVE-2026-22028

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-08T14:16:22Z

Links: CVE-2026-22028 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:45:24Z

Weaknesses