Description
Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. This vulnerability is fixed in 2.1.11.
Published: 2026-03-12
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting via attribute injection in SSR
Action: Immediate Patch
AI Analysis

Impact

Unhead's useHeadSafe composable can be bypassed to inject arbitrary HTML attributes, including event handlers, into server‑side rendered <head> tags. The acceptDataAttrs function permits any key starting with data- without checking for spaces or characters that break attribute parsing. This flaw allows an attacker to insert malicious client‑side scripts, resulting in a stored XSS vulnerability.

Affected Systems

Vendors affected are unjs:unhead. All releases prior to version 2.1.11 are vulnerable. Versions 2.1.11 and later contain the fix.

Risk and Exploitability

The CVSS base score is 5.3, indicating moderate severity, while the EPSS score is below 1% and the vulnerability is not listed in the CISA KEV catalog, implying low expected exploitation. The likely attack vector is through user‑supplied data that is passed to useHeadSafe in an SSR context; the attacker can craft a key that starts with data- but contains malicious attribute names to trigger the XSS. No specific exploitation conditions are outlined beyond the presence of user input in useHeadSafe.

Generated by OpenCVE AI on March 17, 2026 at 15:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade unhead to version 2.1.11 or newer.
  • Verify that no untrusted data is passed to useHeadSafe with arbitrary attribute keys.
  • Restrict useHeadSafe to a whitelist of valid attributes if an upgrade cannot be applied immediately.
  • Apply web application firewall rules to block unsolicited XSS payloads.
  • Monitor web traffic for XSS indicators and review server‑side rendered <head> content for anomalies.

Generated by OpenCVE AI on March 17, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g5xx-pwrp-g3fv Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check
History

Mon, 16 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:unjs:unhead:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Fri, 13 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Unjs
Unjs unhead
Vendors & Products Unjs
Unjs unhead

Thu, 12 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. This vulnerability is fixed in 2.1.11.
Title Unhead has a XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Unjs Unhead
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-13T16:26:51.670Z

Reserved: 2026-03-09T19:02:25.012Z

Link: CVE-2026-31860

cve-icon Vulnrichment

Updated: 2026-03-13T16:26:40.074Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T18:16:24.227

Modified: 2026-03-16T17:56:34.140

Link: CVE-2026-31860

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:48:50Z

Weaknesses