Description
Vulnerability Type: HTML Injection via JSON Type Confusion
Affected Versions: Preact 10.26.5 through 10.28.1
Severity: Low to Medium (see below)
Recommendation
Update the preact package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.28.0, < 10.28.2 >= 10.27.0, < 10.27.3 >= 10.26.5, < 10.26.10** Patched version(s): **10.28.2 10.27.3 10.26.10**
References
Related Issues
- @payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters - CVE-2026-25544
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
- jsPDF has a PDF Object Injection via FreeText color - CVE-2026-31898
- jsPDF has HTML Injection in New Window paths - CVE-2026-31938
- Tags:
- npm
- preact
Anything's wrong? Let us know Last updated on January 08, 2026