Advisories for Npm/Preact package

Vulnerability Type: HTML Injection via JSON Type Confusion Affected Versions: Preact 10.26.5 through 10.28.1 Severity: Low to Medium (see below)

Versions of preact on prerelease tags alpha and beta are vulnerable to HTML Injection. Due to insufficient input validation the package allows attackers to inject JavaScript objects as virtual-dom nodes, which may lead to Cross-Site Scripting. This requires user input parsed with JSON.parse() to be passed directly into JSX without sanitization. Upgrade to .