7.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22028

CVE-2026-22028: Preact has JSON VNode Injection issue

Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP).

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22028

CVE-2026-22028:

7.2

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
preact	npm	>= 10.26.5, < 10.26.10	10.26.10
preact	npm	>= 10.27.0, < 10.27.3	10.27.3
preact	npm	>= 10.28.0, < 10.28.2	10.28.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in Preact's handling of VNodes (Virtual DOM elements). The core issue is a type confusion vulnerability caused by the use of loose equality checks (== and !=) instead of strict equality checks (=== and !==) when validating VNodes. The advisory states that a regression softened the protection against constructing VNodes from arbitrary JSON. The patch restores these strict equality checks.

By analyzing the commits that patch the vulnerability, I identified the exact locations where these weak checks were replaced. The patch 37c3e030ab19337f10d32cd49d1c3d14e102d890 modifies three key functions:

isValidElement in src/create-element.js: This function is responsible for checking if an object is a valid Preact element. The change from == to === ensures that only objects with a constructor that is strictly undefined (as set by Preact's createElement function) are considered valid VNodes.
diff in src/diff/index.js: This is a central function in Preact's rendering process. It contained a check newVNode.constructor != UNDEFINED to reject invalid VNodes. Changing this to !== prevents crafted objects from bypassing this guard.
constructNewChildrenArray in src/diff/children.js: This function, used during the diffing of child elements, also contained a loose equality check on the constructor property. The fix to use === prevents an attacker-controlled object from being treated as a cloneable VNode.

An attacker could exploit this by providing a JSON payload with a crafted object where a string was expected. If the application does not sanitize this input, Preact would incorrectly interpret this object as a VNode due to the loose equality checks, leading to potential HTML injection and cross-site scripting (XSS). The identified functions are the exact points in the code where this flawed validation occurred.

Vulnerable functions

isValidElement

src/create-element.js

The `isValidElement` function used a loose equality check (`==`) to validate if a given `vnode` is a valid Preact element. This could be bypassed by a crafted JSON object with a `constructor` property that coerces to `undefined`, leading to a type confusion vulnerability where a plain object is treated as a VNode.

diff

src/diff/index.js

The `diff` function used a loose inequality check (`!=`) to ensure that a `newVNode` is a valid VNode before proceeding with the diffing process. This check was insufficient and could be bypassed by a crafted object, allowing a non-VNode to be processed, leading to potential HTML injection.

constructNewChildrenArray

src/diff/children.js

Within the `constructNewChildrenArray` function, a check to identify and clone an existing VNode used a loose equality check (`==`) on `childVNode.constructor`. This allowed a crafted object to be misidentified as a valid, reusable VNode, contributing to the overall type confusion vulnerability.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.2

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22028: Preact has JSON VNode Injection issue

CVE-2026-22028:

7.2

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

7.2

7.2

CVE-2026-22028: Preact has JSON VNode Injection issue

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI