FKIE_CVE-2026-22028

Vulnerability from fkie_nvd - Published: 2026-01-08 15:15 - Updated: 2026-01-12 18:58
Severity ?
6.1 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Summary
Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP).
References
security-advisories@github.comhttps://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3mExploit, Vendor Advisory, Mitigation
134c704f-9b21-4f2e-91b3-4a467353bcc0https://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3mExploit, Vendor Advisory, Mitigation
Impacted products
Vendor Product Version
preactjs preact *
preactjs preact *
preactjs preact *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:preactjs:preact:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "1DDBA9E9-C9AF-4A0C-A2B7-E2EA43E9DF0E",
              "versionEndExcluding": "10.26.10",
              "versionStartIncluding": "10.26.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:preactjs:preact:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "0E2DB796-AF49-4BCD-9D92-FDF44B81BA49",
              "versionEndExcluding": "10.27.3",
              "versionStartIncluding": "10.27.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:preactjs:preact:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "FD739420-5F94-401E-8D6E-048B9EE0AAC4",
              "versionEndExcluding": "10.28.2",
              "versionStartIncluding": "10.28.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP)."
    },
    {
      "lang": "es",
      "value": "Preact, un framework ligero de desarrollo web, protecci\u00f3n de serializaci\u00f3n JSON para evitar que los elementos del DOM Virtual se construyan a partir de JSON arbitrario. Una regresi\u00f3n introducida en Preact 10.26.5 hizo que esta protecci\u00f3n se suavizara. En aplicaciones donde se asume que los valores de las cargas \u00fatiles JSON son cadenas y se pasan sin modificar a Preact como hijos, se podr\u00eda construir una carga \u00fatil JSON especialmente dise\u00f1ada que ser\u00eda tratada incorrectamente como un VNode v\u00e1lido. Cuando esta cadena de fallos ocurre, puede resultar en inyecci\u00f3n HTML, lo que puede permitir la ejecuci\u00f3n arbitraria de scripts si no se mitiga mediante CSP u otros medios. Las aplicaciones que utilizan versiones afectadas de Preact son vulnerables si cumplen todas las siguientes condiciones: primero, pasan valores sin modificar y sin sanear de fuentes de datos modificables por el usuario (APIs, bases de datos, almacenamiento local, etc.) directamente al \u00e1rbol de renderizado; segundo, asumen que estos valores son cadenas pero la fuente de datos podr\u00eda devolver objetos JavaScript reales en lugar de cadenas JSON; y tercero, la fuente de datos o bien no realiza la sanitizaci\u00f3n de tipos Y almacena/devuelve ciegamente objetos sin procesar indistintamente con cadenas, O est\u00e1 comprometida (p. ej., almacenamiento local, sistema de archivos o base de datos envenenados). Las versiones 10.26.10, 10.27.3 y 10.28.2 aplican un parche al problema. Las versiones del parche restauran las comprobaciones de igualdad estricta anteriores que evitan que los objetos analizados por JSON sean tratados como VNodes v\u00e1lidos. Otras mitigaciones est\u00e1n disponibles para aquellos que no pueden actualizar de inmediato. Validar tipos de entrada, convertir o validar datos de red, sanear datos externos y usar la Pol\u00edtica de Seguridad de Contenido (CSP)."
    }
  ],
  "id": "CVE-2026-22028",
  "lastModified": "2026-01-12T18:58:38.207",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.1,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "UNREPORTED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-08T15:15:44.853",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3m"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory",
        "Mitigation"
      ],
      "url": "https://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-843"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.