Detections
Analytics
Linux Distros Unpatched Vulnerability : CVE-2026-22028
critical Nessus Plugin ID 282480
Language:
Synopsis
The Linux/Unix host has one or more packages installed with a vulnerability that the vendor indicates will not be patched.Description
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.- Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass unmodified, unsanitized values from user-modifiable data sources (APIs, databases, local storage, etc.) directly into the render tree; second assume these values are strings but the data source could return actual JavaScript objects instead of JSON strings; and third, the data source either fails to perform type sanitization AND blindly stores/returns raw objects interchangeably with strings, OR is compromised (e.g., poisoned local storage, filesystem, or database). Versions 10.26.10, 10.27.3, and 10.28.2 patch the issue.
The patch versions restore the previous strict equality checks that prevent JSON-parsed objects from being treated as valid VNodes. Other mitigations are available for those who cannot immediately upgrade.
Validate input types, cast or validate network data, sanitize external data, and use Content Security Policy (CSP). (CVE-2026-22028)
Note that Nessus relies on the presence of the package as reported by the vendor.
Solution
There is no known solution at this time.See Also
https://access.redhat.com/security/cve/cve-2026-22028
Plugin Details
Severity: Critical
ID: 282480
File Name: unpatched_CVE_2026_22028.nasl
Version: 1.4
Type: local
Agent: unix
Family: Misc.
Published: 1/8/2026
Updated: 1/10/2026
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.8
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2026-22028
CVSS v3
Risk Factor: High
Base Score: 8.7
Temporal Score: 8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:H
Temporal Vector: CVSS:3.0/E:U/RL:U/RC:C
CVSS v4
Risk Factor: Critical
Base Score: 9.2
Threat Score: 7.2
Threat Vector: CVSS:4.0/E:U
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Vulnerability Information
CPE: cpe:/o:debian:debian_linux:11.0, cpe:/o:canonical:ubuntu_linux:18.04:-:lts, cpe:/o:canonical:ubuntu_linux:20.04:-:lts, p-cpe:/a:redhat:enterprise_linux:polkit, p-cpe:/a:redhat:enterprise_linux:polkit-devel, p-cpe:/a:redhat:enterprise_linux:polkit-docs, p-cpe:/a:redhat:enterprise_linux:polkit-libs, cpe:/o:canonical:ubuntu_linux:22.04:-:lts, cpe:/o:redhat:enterprise_linux:9, cpe:/o:debian:debian_linux:12.0, cpe:/o:canonical:ubuntu_linux:24.04:-:lts, cpe:/o:debian:debian_linux:13.0, cpe:/o:canonical:ubuntu_linux:25.04, cpe:/o:debian:debian_linux:14.0, cpe:/o:canonical:ubuntu_linux:25.10, p-cpe:/a:debian:debian_linux:node-preact, p-cpe:/a:canonical:ubuntu_linux:node-preact
Required KB Items: Host/local_checks_enabled, Host/cpu, global_settings/vendor_unpatched, Host/OS/identifier
Exploit Ease: No known exploits are available
Vulnerability Publication Date: 1/7/2026
Reference Information
CVE: CVE-2026-22028