Description
Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11.
Published: 2026-03-12
Score: 0 Low
EPSS: < 1% Very Low
KEV: No
Impact: CSS-based XSS or UI Redressing via malformed URI scheme
Action: Patch
AI Analysis

Impact

Unhead’s makeTagSafe (safe.ts) validates the `link.href` field by calling `String.includes()` on the scheme string. This method is case‑sensitive, whereas browsers treat URI schemes case‑insensitively. As a result, an attacker can inject a `DATA:` scheme with mixed case (e.g., `DATA:text/css,…`) that bypasses the check, allowing arbitrary CSS to be applied. The injected CSS may trigger UI redressing or data exfiltration through CSS attribute selectors and background‑image callbacks. This flaw is effectively a CSS‑based Cross‑Site Scripting vulnerability.

Affected Systems

The affected product is unjs’unhead’. Versions prior to 2.1.11 are vulnerable, as the fix was introduced in 2.1.11.

Risk and Exploitability

The advisory lists an EPSS score of less than 1 % and the vulnerability is not in the CISA KEV catalog, indicating a low exploitation likelihood. Nevertheless, because the flaw enables injection of CSS that can modify page appearance or leak data, it could have serious impact if leveraged by an attacker. The vulnerability can be exploited from client‑side code that creates or modifies link tags, so the attack vector is browser‑based and requires the attacker to supply crafted markup to a vulnerable instance.

Generated by OpenCVE AI on March 17, 2026 at 15:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade unhead to version 2.1.11 or later.

Generated by OpenCVE AI on March 17, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5339-hvwr-7582 Unhead Vulnerable to Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity
History

Mon, 16 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:unjs:unhead:*:*:*:*:*:*:*:*

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Unjs
Unjs unhead
Vendors & Products Unjs
Unjs unhead

Thu, 12 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11.
Title Unhead has a Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 0, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N'}

Subscriptions

Unjs Unhead
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T17:46:46.723Z

Reserved: 2026-03-09T19:02:25.014Z

Link: CVE-2026-31873

cve-icon Vulnrichment

Updated: 2026-03-12T17:46:38.920Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T18:16:24.387

Modified: 2026-03-16T17:57:01.537

Link: CVE-2026-31873

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:48:50Z

Weaknesses