SCA: security update for preact (GHSA-36hm-qxxp-pg3m)

critical Tenable Cloud Security Plugin ID 436603

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM
elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this
protection to be softened. In applications where values from JSON payloads are assumed to be strings and
passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would
be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML
injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications
using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass
unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.)
directly into the render tree; second assume these values are strings but the data source could return
actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type
sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g.,
poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue.
The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being
treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade.
Validate input types, cast or validate network data, sanitize external data, and use Content Security
Policy (CSP). (CVE-2026-22028)

See Also

https://github.com/advisories/GHSA-36hm-qxxp-pg3m

Plugin Details

Severity: Critical

ID: 436603

Version: Revision 1.120

Type: Local

Family: SCA Checks

Published: 1/7/2026

Updated: 6/30/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.42

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2026-22028

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.2

Threat Score: 8.2

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/7/2026

Vulnerability Publication Date: 1/7/2026

Reference Information

CVE: CVE-2026-22028

cwe: CWE-843