CVE-2026-22028

Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed t...

CVE-2026-22028 Preact has JSON VNode Injection issue

Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed t...

CVE-2026-22028

CVE-2026-22028 affects Preact where a regression in 10.26.5 weakened JSON serialization protection, allowing JSON payloads to be mis-parsed as valid VNodes and potentially leading to HTML injection and script execution if CSP or other mitigations are not in place. Affected versions include 10.26....

GHSA-36HM-QXXP-PG3M Preact has JSON VNode Injection issue

Impact Vulnerability Type: HTML Injection via JSON Type Confusion Affected Versions: Preact 10.26.5 through 10.28.1 Severity: Low to Medium see below Who is Impacted? Applications using affected Preact versions are vulnerable if they meet all of the following conditions: 1. Pass unmodified,...