CVE-2026-31860 — Cross-site Scripting in Unhead

CWE-79 — Cross-site Scripting CWE-184 — Incomplete List of Disallowed Inputs6 documents4 sources

Severity

5.3MEDIUMNVD

EPSS

0.0%

top 98.10%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Unjs Unhead

Timeline

PublishedMar 12

Latest updateApr 9

Description

Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attri…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Affected Packages2 packages

▶NVDunjs/unhead< 2.1.11

▶npmunjs/unhead< 2.1.11+1

🔴Vulnerability Details

OSV

Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()↗2026-04-09

▶

GHSA

Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()↗2026-04-09

▶

GHSA

Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check↗2026-03-12

▶

OSV

Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check↗2026-03-12

▶

🕵️Threat Intelligence

Wiz

CVE-2026-31860 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶