CVE-2026-22028
📋 TL;DR
A regression in Preact versions 10.26.5 through 10.28.1 weakens JSON serialization protection, allowing specially-crafted JSON payloads to be incorrectly treated as Virtual DOM nodes. This can lead to HTML injection and potential arbitrary script execution if applications pass unsanitized user data directly into render trees. Applications are vulnerable only if they meet specific conditions: passing unmodified values from user-modifiable sources, assuming those values are strings, and having data sources that return JavaScript objects instead of JSON strings.
💻 Affected Systems
- Preact
📦 What is this software?
Preact by Preactjs
Preact by Preactjs
Preact by Preactjs
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary script execution leading to complete compromise of user sessions, data theft, or malware distribution if CSP is not properly configured.
Likely Case
HTML injection leading to defacement, session hijacking, or limited script execution depending on application context and CSP restrictions.
If Mitigated
No impact if proper input validation, type checking, and Content Security Policy are implemented.
🎯 Exploit Status
Exploitation requires specific application patterns and data source manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.26.10, 10.27.3, or 10.28.2
Vendor Advisory: https://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3m
Restart Required: Yes
Instructions:
1. Identify Preact version in package.json. 2. Update to patched version: npm update preact@10.28.2 or appropriate version. 3. Restart application server. 4. Test application functionality.
🔧 Temporary Workarounds
Input Type Validation
allValidate that values passed to Preact render functions are strings, not objects.
JSON String Sanitization
allEnsure all JSON payloads are properly stringified before passing to Preact.
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) to prevent script execution from injected HTML.
- Add input validation layers to ensure only string types are passed to Preact render functions.
🔍 How to Verify
Check if Vulnerable:
Check package.json for Preact version between 10.26.5 and 10.28.1, and review code for patterns of passing unsanitized user data to render functions.Check Version:
npm list preactVerify Fix Applied:
Verify Preact version is 10.26.10, 10.27.3, or 10.28.2 in package.json and node_modules.📡 Detection & Monitoring
Log Indicators:
- Unexpected object types in render function parameters
- JSON parsing errors in user data processing
Network Indicators:
- Unusual JSON payloads containing complex objects instead of strings
SIEM Query:
Search for application errors related to 'VNode' or 'render' with object type mismatches.