CVE-2026-39315Incomplete List of Disallowed Inputs in Unhead

CWE-184Incomplete List of Disallowed Inputs37 documents5 sources
Severity
6.1MEDIUMNVD
EPSS
0.1%
top 81.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Unjs Unhead
Timeline
PublishedApr 9

Description

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

CVEListV5unjs/unhead< 2.1.13
npmunjs/unhead< 2.1.13

🔴Vulnerability Details

3
OSV
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()2026-04-09
VulDB
unjs unhead up to 2.1.12 safe.ts useHeadSafe incomplete blacklist (GHSA-95h2-gj7x-gx9w)2026-04-09
GHSA
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()2026-04-09

🕵️Threat Intelligence

33
Wiz
CVE-2026-39409 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-39983 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-35525 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2026-35041 Impact, Exploitability, and Mitigation Steps | Wiz
Wiz
CVE-2025-62718 Impact, Exploitability, and Mitigation Steps | Wiz