CVE-2026-22028 (CNNVD-202601-1461)

HIGH
中文标题:
preact 安全漏洞
英文标题:
Preact has JSON VNode Injection issue
CVSS分数: 7.2
发布时间: 2026-01-08 14:16:22
漏洞类型: 其他
状态: PUBLISHED
数据质量分数: 0.40
数据版本: v4
漏洞描述
中文描述:

preact是Preact开源的一个Java库。 preact 10.26.5版本存在安全漏洞,该漏洞源于JSON序列化保护减弱,可能导致HTML注入。

英文描述:

Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue. The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade. Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP).

CWE类型:
CWE-843
标签:
(暂无数据)
受影响产品
厂商 产品 版本 版本范围 平台 CPE
preactjs preact >= 10.26.5, < 10.26.10 - - cpe:2.3:a:preactjs:preact:>=_10.26.5,_<_10.26.10:*:*:*:*:*:*:*
preactjs preact >= 10.27.0, < 10.27.3 - - cpe:2.3:a:preactjs:preact:>=_10.27.0,_<_10.27.3:*:*:*:*:*:*:*
preactjs preact >= 10.28.0, < 10.28.2 - - cpe:2.3:a:preactjs:preact:>=_10.28.0,_<_10.28.2:*:*:*:*:*:*:*
preactjs preact * - - cpe:2.3:a:preactjs:preact:*:*:*:*:*:node.js:*:*
解决方案
中文解决方案:
(暂无数据)
英文解决方案:
(暂无数据)
临时解决方案:
(暂无数据)
参考链接
https://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3m x_refsource_CONFIRM
cve.org
访问
CVSS评分详情
4.0 (cna)
HIGH
7.2
CVSS向量: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
机密性
HIGH
完整性
HIGH
可用性
HIGH
后续系统影响 (Subsequent):
机密性
NONE
完整性
NONE
可用性
NONE
时间信息
发布时间:
2026-01-08 14:16:22
修改时间:
2026-01-08 15:55:06
创建时间:
2026-01-12 02:12:38
更新时间:
2026-01-16 02:48:21
利用信息
暂无可利用代码信息
数据源详情
数据源 记录ID 版本 提取时间
CVE cve_CVE-2026-22028 2026-01-09 02:02:08 2026-01-12 02:12:38
NVD nvd_CVE-2026-22028 2026-01-09 03:00:10 2026-01-12 02:28:17
CNNVD cnnvd_CNNVD-202601-1461 2026-01-11 06:15:11 2026-01-12 02:38:14
版本与语言
当前版本: v4
主要语言: EN
支持语言:
EN ZH
安全公告
暂无安全公告信息
变更历史
v4 NVD
2026-01-13 06:36:22
affected_products_count: 3 → 4
查看详细变更
  • affected_products_count: 3 -> 4
v3 CNNVD
2026-01-12 02:38:14
vulnerability_type: 未提取 → 其他; cnnvd_id: 未提取 → CNNVD-202601-1461; data_sources: ['cve', 'nvd'] → ['cnnvd', 'cve', 'nvd']
查看详细变更
  • vulnerability_type: 未提取 -> 其他
  • cnnvd_id: 未提取 -> CNNVD-202601-1461
  • data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
v2 NVD
2026-01-12 02:28:17
data_sources: ['cve'] → ['cve', 'nvd']
查看详细变更
  • data_sources: ['cve'] -> ['cve', 'nvd']