Description
Vulnerability Type: HTML Injection via JSON Type Confusion
Affected Versions: Preact 10.26.5 through 10.28.1
Severity: Low to Medium (see below)
Recommendation
Update the preact package to the latest compatible version. Followings are version details:
Affected version(s): **>= 10.28.0, < 10.28.2 >= 10.27.0, < 10.27.3 >= 10.26.5, < 10.26.10** Patched version(s): **10.28.2 10.27.3 10.26.10**
References
Related Issues
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- webfinger.js Blind SSRF Vulnerability - CVE-2025-54590
- files.photo.gallery command injection - CVE-2024-53615
- mapshaper Path Traversal vulnerability - CVE-2024-1163
- Tags:
- npm
- preact
Anything's wrong? Let us know Last updated on January 08, 2026