VDB
CVE-2026-22028
CVE-2026-22028
PUBLISHED
CVSS 7.199999809265137 HIGH
Preact has JSON VNode Injection issue
EPSS 0.06% · 18.9th percentile
Risk Scores
CVSS 4.0
7.199999809265137
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
EPSS Score
0.06%
18.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| npm | preact | 10.27.0, 10.28.0, 10.26.5 |
| preactjs | preact | 10.26.5, >= 10.26.5, < 10.26.10, 10.28.0 |
Exploit Intelligence
- CIRCL seen: CVE-2026-22028 (circl-sighting)
- CIRCL seen: CVE-2026-22028 (circl-sighting)
- CIRCL seen: CVE-2026-22028 (circl-sighting)
- https://github.com/preactjs/preact/security/advisories/GHSA-36hm-qxxp-pg3m (cve.org)
Timeline
- Jan 7, 2026 CVE Published
- Jan 8, 2026 CVE Updated
- Jan 8, 2026 PoC Published
- Jan 9, 2026 EPSS Score
- Jan 12, 2026 EPSS Score
- Jan 15, 2026 EPSS Score
- Jan 15, 2026 PoC Published
- Jan 18, 2026 EPSS Score
- Jan 22, 2026 EPSS Score
- Jan 24, 2026 PoC Published
- Jan 25, 2026 EPSS Score
- Jan 28, 2026 EPSS Score