DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-22028: Preact's Identity Crisis: When JSON Becomes Code

#security #cve #cybersecurity

Preact's Identity Crisis: When JSON Becomes Code

Vulnerability ID: CVE-2026-22028
CVSS Score: 9.2
Published: 2026-01-07

A critical HTML injection vulnerability in Preact allows attackers to bypass Virtual DOM protections by feeding specifically crafted JSON objects into the render tree. By mimicking the internal structure of a Virtual Node (VNode), malicious JSON is interpreted as executable DOM elements, leading to Cross-Site Scripting (XSS).

TL;DR

Preact versions 10.26.5 through 10.28.1 introduced a regression that weakened the distinction between trusted Virtual DOM nodes and plain JavaScript objects. Attackers can supply a JSON payload that looks like a VNode (e.g., containing type, props, and __v), causing Preact to render it as a real HTML element with arbitrary attributes (like onerror). This turns any unvalidated JSON input passed to a render function into a potential Remote Code Execution vector via XSS.

⚠️ Exploit Status: POC

Technical Details

  • CWE: CWE-79 (XSS) / CWE-843 (Type Confusion)
  • CVSS v4.0: 9.2 (Critical)
  • Attack Vector: Network (JSON Payload)
  • Privileges Required: None
  • User Interaction: None (Passive rendering)
  • Exploit Status: PoC Available

Affected Systems

  • Preact 10.26.5 - 10.26.9
  • Preact 10.27.0 - 10.27.2
  • Preact 10.28.0 - 10.28.1
  • preact: >= 10.26.5 < 10.26.10 (Fixed in: 10.26.10)
  • preact: >= 10.27.0 < 10.27.3 (Fixed in: 10.27.3)
  • preact: >= 10.28.0 < 10.28.2 (Fixed in: 10.28.2)

Mitigation Strategies

  • Update Preact to patched versions immediately.
  • Implement strict type enforcement on API responses (e.g., Zod, Joi).
  • Explicitly cast variable children to strings before rendering.
  • Deploy Content Security Policy (CSP) to restrict inline script execution.

Remediation Steps:

  1. Check current version: npm list preact
  2. Run update: npm update preact
  3. Verify installation of 10.26.10, 10.27.3, or 10.28.2.
  4. Audit codebase for direct rendering of API-derived variables without verification.

References

Read the full report for CVE-2026-22028 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)