CVE-2026-22028
HTML Injection vulnerability in preact (npm)

HTML Injection No known exploit

What is CVE-2026-22028 About?

This HTML Injection vulnerability in Preact applications allows for arbitrary script execution due to incorrect handling of JSON payloads that are assumed to be strings. It can lead to compromise if an application passes unsanitized user-modifiable data directly to the render tree without proper type validation. Exploitation requires specific architectural flaws or a compromised data source, making it moderately difficult.

Affected Software

  • preact
    • >=10.27.0, <10.27.3
    • >=10.26.5, <10.26.10
    • >=10.28.0, <10.28.2

Technical Details

Preact versions 10.26.5 through 10.28.1 contain a regression that softens JSON serialization protection, specifically when an application passes unmodified, unsanitized values from user-modifiable data sources directly into the render tree, assuming these values are strings, but the data source returns actual JavaScript objects. If the data source fails type sanitization or is compromised, a specially-crafted JSON payload can be incorrectly treated as a valid Virtual DOM node (VNode). This chain of failures leads to HTML injection, potentially allowing arbitrary script execution unless mitigated by a Content Security Policy (CSP). This issue does not affect preact-render-to-string and is primarily an expanded attack surface, requiring insecure API design or a compromised data source for exploitation.

What is the Impact of CVE-2026-22028?

Successful exploitation may allow attackers to inject arbitrary HTML, leading to cross-site scripting (XSS) and potentially arbitrary script execution within the context of the user's browser session. This can result in session hijacking, data theft, defacement, or further client-side attacks.

What is the Exploitability of CVE-2026-22028?

Exploitation is complex and conditional, requiring multiple factors to align: the application must use affected Preact versions, pass unmodified and unsanitized user-modifiable data (assuming strings) directly to the render tree, and either the data source lacks type sanitization or is compromised. No direct authentication is required for the injected payload, but access to influence the data source (e.g., through an API) is necessary. Privilege requirements depend on the context of the data source. The exploit can be considered remote if the data originates from external APIs or local if from compromised local storage. Constraints include the need for a specific JSON payload structure and the application's reliance on implicit string typing. Risk is increased in applications with lax input validation, insecure API designs, or susceptible to data source compromise.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-22028?

Available Upgrade Options

  • preact
    • >=10.26.5, <10.26.10 → Upgrade to 10.26.10
  • preact
    • >=10.27.0, <10.27.3 → Upgrade to 10.27.3
  • preact
    • >=10.28.0, <10.28.2 → Upgrade to 10.28.2

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-22028?

Similar Vulnerabilities: CVE-2023-38501 , CVE-2023-3636 , CVE-2023-33980 , CVE-2023-33979 , CVE-2023-28492

All Rights reserved 2025
Privacy Policy