Preact
Monthly
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scripts when applications pass unsanitized user-controlled data as component children, with public exploit code already available. The vulnerability stems from a regression in Preact 10.26.5 that weakened protections against constructing Virtual DOM elements from malicious JSON payloads. Affected applications are vulnerable if they consume unvalidated external data without sanitization and lack additional mitigations like Content Security Policy.
HTML injection in Preact and React through unsafe JSON deserialization allows remote attackers to inject arbitrary scripts when applications pass unsanitized user-controlled data as component children, with public exploit code already available. The vulnerability stems from a regression in Preact 10.26.5 that weakened protections against constructing Virtual DOM elements from malicious JSON payloads. Affected applications are vulnerable if they consume unvalidated external data without sanitization and lack additional mitigations like Content Security Policy.