CVE-2026-22028 is a type confusion vulnerability classified under CWE-843 affecting the Preact JavaScript framework, a lightweight alternative to React used for building web interfaces. The vulnerability stems from a regression introduced in Preact version 10.26.5 that softened the JSON serialization protections designed to prevent Virtual DOM elements (VNodes) from being constructed from arbitrary JSON data. Normally, Preact expects children passed to its render tree to be strings or valid VNodes, but due to this regression, specially crafted JSON payloads can be interpreted incorrectly as valid VNodes. This occurs when applications take JSON payloads from user-controllable sources (APIs, databases, local storage) and pass them unmodified into the render tree, assuming these values are strings. If the data source returns actual JavaScript objects instead of strings and fails to sanitize or validate these types, or if the data source is compromised (e.g., poisoned local storage or database), the crafted payload can lead to HTML injection. This injection can escalate to arbitrary script execution if the application does not have effective Content Security Policy (CSP) or other script execution mitigations. The vulnerability affects Preact versions >=10.26.5 and <10.26.10, >=10.27.0 and <10.27.3, and >=10.28.0 and <10.28.2. The patched versions restore strict equality checks that prevent JSON-parsed objects from being treated as VNodes. While no known exploits are reported in the wild, the vulnerability poses a significant risk to web applications relying on vulnerable Preact versions and unsafe data handling practices.

For European organizations, this vulnerability can lead to client-side code injection attacks, compromising the confidentiality and integrity of user data and potentially enabling cross-site scripting (XSS) attacks. This can result in session hijacking, credential theft, or distribution of malware via compromised web applications. Organizations in sectors with high web application usage—such as e-commerce, finance, healthcare, and government—are particularly at risk. The impact is heightened in environments where user data sources are not strictly sanitized or where legacy systems store mixed-type data. Additionally, the exploitation does not require user interaction or authentication, increasing the attack surface. The vulnerability could undermine trust in affected services and lead to regulatory penalties under GDPR if personal data is compromised. The lack of known exploits in the wild suggests limited immediate risk, but the ease of exploitation and high severity score indicate a strong need for prompt remediation.

European organizations should prioritize upgrading Preact to versions 10.26.10, 10.27.3, or 10.28.2 to apply the official patches that restore strict type checking. For environments where immediate upgrade is not feasible, implement strict input validation and type checking on all data entering the render tree, ensuring that only strings or properly sanitized VNodes are passed. Sanitize and validate all user-controllable data sources, including APIs, databases, and local storage, to prevent injection of malicious objects. Employ Content Security Policy (CSP) headers with strict script-src directives to mitigate the impact of any injected scripts. Conduct thorough code reviews and audits to identify unsafe data handling patterns. Implement runtime monitoring for anomalous DOM manipulations or script injections. Educate development teams on secure coding practices related to client-side rendering frameworks. Finally, maintain an inventory of applications using Preact and verify their versions and data handling methods to assess exposure.