Linux Distros Unpatched Vulnerability : CVE-2026-22028

🗓️ 08 Jan 2026 00:00:00Reported by TenableType

Linux hosts with unpatched Preact CVE-2026-22028 risk HTML injection from crafted JSON; patch fixes VNode checks.

Reporter	Title	Published	Views	Family All 24
Chainguard	CVE-2026-22028 vulnerabilities	9 Jan 202607:17	–	cgr
Circl	CVE-2026-22028	8 Jan 202601:59	–	circl
CNNVD	preact 安全漏洞	8 Jan 202600:00	–	cnnvd
CVE	CVE-2026-22028	8 Jan 202614:16	–	cve
Cvelist	CVE-2026-22028 Preact has JSON VNode Injection issue	8 Jan 202614:16	–	cvelist
Debian CVE	CVE-2026-22028	8 Jan 202614:16	–	debiancve
EUVD	EUVD-2026-1184	8 Jan 202614:16	–	euvd
Github Security Blog	Preact has JSON VNode Injection issue	7 Jan 202619:28	–	github
NVD	CVE-2026-22028	8 Jan 202615:15	–	nvd
OSV	CGA-425F-R8VJ-44JJ	9 Jan 202605:18	–	osv

Source	Link
ubuntu	www.ubuntu.com/security/CVE-2026-22028
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(282480);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/05/22");

  script_cve_id("CVE-2026-22028");

  script_name(english:"Linux Distros Unpatched Vulnerability : CVE-2026-22028");

  script_set_attribute(attribute:"synopsis", value:
"The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be
patched.");
  script_set_attribute(attribute:"description", value:
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied
patch available.

  - Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM
    elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this
    protection to be softened. In applications where values from JSON payloads are assumed to be strings and
    passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would
    be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML
    injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications
    using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass
    unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.)
    directly into the render tree; second assume these values are strings but the data source could return
    actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type
    sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g.,
    poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue.
    The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being
    treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade.
    Validate input types, cast or validate network data, sanitize external data, and use Content Security
    Policy (CSP). (CVE-2026-22028)

Note that Nessus relies on the presence of the package as reported by the vendor.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/CVE-2026-22028");
  script_set_attribute(attribute:"solution", value:
"There is no known solution at this time.");
  script_set_attribute(attribute:"agent", value:"unix");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:U/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2026-22028");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2026-22028");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2026-22028");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"vendor_unpatched", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2026/01/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:22.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:24.04:-:lts");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.04");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:25.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:node-preact");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl", "set_linux_os_id.nasl");
  script_require_keys("Host/cpu", "Host/local_checks_enabled", "global_settings/vendor_unpatched", "Host/OS/identifier");
  script_require_ports("Host/OS/Ubuntu Linux-18.04", "Host/OS/Ubuntu Linux-20.04", "Host/OS/Ubuntu Linux-22.04", "Host/OS/Ubuntu Linux-24.04", "Host/OS/Ubuntu Linux-25.04", "Host/OS/Ubuntu Linux-25.10");

  exit(0);
}

if (!get_kb_item("global_settings/vendor_unpatched")) exit(0, "Unpatched Vulnerabilities Detection not active.");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (empty_or_null(get_one_kb_item("Host/Debian/dpkg-l"))) audit(AUDIT_PACKAGE_LIST_MISSING);

include('linux_unpatched.inc');

var distro_constraints_array = {
  "Ubuntu Linux-18.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "18.04",
        "pkgs": [
          {"reference": "node-preact"}
        ]
      }
    ]
  },
  "Ubuntu Linux-20.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "20.04",
        "pkgs": [
          {"reference": "node-preact"}
        ]
      }
    ]
  },
  "Ubuntu Linux-22.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "22.04",
        "pkgs": [
          {"reference": "node-preact"}
        ]
      }
    ]
  },
  "Ubuntu Linux-24.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "24.04",
        "pkgs": [
          {"reference": "node-preact"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.04": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.04",
        "pkgs": [
          {"reference": "node-preact"}
        ]
      }
    ]
  },
  "Ubuntu Linux-25.10": {
    "package_manager": "dpkg-l",
    "constraints": [
      {
        "release": "25.10",
        "pkgs": [
          {"reference": "node-preact"}
        ]
      }
    ]
  }
};

var distro_constraints_values = linux_unpatched::get_distro_constraints(distro_constraints_arr:distro_constraints_array);
if (empty_or_null(distro_constraints_values)) audit(AUDIT_HOST_NOT, 'affected');
var report = linux_unpatched::check_unpatched_constraints(distro_constraints_values:distro_constraints_values);

if (!empty_or_null(report))
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_WARNING,
      extra      : report
  );
  exit(0);
}
else
{
  audit(AUDIT_HOST_NOT, 'affected');
}

22 May 2026 00:00Current

6Medium risk

Vulners AI Score6

CVSS 3.16.1

CVSS 49.2

EPSS0.00081

SSVC