Description
Vulnerability Type: HTML Injection via JSON Type Confusion
Affected Versions: Preact 10.26.5 through 10.28.1
Severity: Low to Medium (see below)
Recommendation
Update the preact package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.28.0, < 10.28.2 >= 10.27.0, < 10.27.3 >= 10.26.5, < 10.26.10** Patched version(s): **10.28.2 10.27.3 10.26.10**
References
Related Issues
- yii2-mcp-server has a Command Injection Issue - CVE-2026-7600
- WebdriverIO BrowserStack Service has a Command Injection issue - CVE-2026-25244
- @payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters - CVE-2026-25544
- Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys. - CVE-2026-33442
You might also like:
- Tags:
- npm
- preact
Anything's wrong? Let us know Last updated on January 08, 2026