preactjs preact up to 10.26.9/10.27.2/10.28.1 JSON type confusion

Summaryinfo

A vulnerability classified as critical was found in preactjs preact up to 10.26.9/10.27.2/10.28.1. The impacted element is an unknown function of the component JSON Handler. The manipulation results in type confusion. This vulnerability is identified as CVE-2026-22028. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.

Detailsinfo

A vulnerability was found in preactjs preact up to 10.26.9/10.27.2/10.28.1. It has been classified as critical. Affected is an unknown function of the component JSON Handler. The manipulation with an unknown input leads to a type confusion vulnerability. CWE is classifying the issue as CWE-843. The product allocates or initializes a resource such as a pointer, object, or variable using one type, but it later accesses that resource using a type that is incompatible with the original type. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:

Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP).

The advisory is shared for download at github.com. This vulnerability is traded as CVE-2026-22028 since 01/05/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. There are neither technical details nor an exploit publicly available.

The vulnerability scanner Nessus provides a plugin with the ID 282480 (Linux Distros Unpatched Vulnerability : CVE-2026-22028), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 10.26.10, 10.27.3 or 10.28.2 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (282480). Once again VulDB remains the best source for vulnerability data.

Productinfo

Type

• JavaScript Library

Vendor

• preactjs

Name

• preact

Version

• 10.26.0
• 10.26.1
• 10.26.2
• 10.26.3
• 10.26.4
• 10.26.5
• 10.26.6
• 10.26.7
• 10.26.8
• 10.26.9
• 10.27.0
• 10.27.1
• 10.27.2
• 10.28.0
• 10.28.1

Website

• Product: https://github.com/preactjs/preact/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion