CVE-2026-31860

Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. This vulnerability is fixed in 2.1.11.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv	Exploit Mitigation Vendor Advisory
https://github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:unjs:unhead:*:*:*:*:*:*:*:*

History

16 Mar 2026, 17:56

Type	Values Removed	Values Added
References	~~() https://github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv -~~	() https://github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv - Exploit, Mitigation, Vendor Advisory
First Time		Unjs Unjs unhead
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:unjs:unhead::::::::

13 Mar 2026, 19:54

Type	Values Removed	Values Added
References	~~() https://github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv -~~	() https://github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv -
Summary		(es) Unhead es un gestor de cabecera de documento y plantillas. Antes de la 2.1.11, se puede eludir useHeadSafe() para inyectar atributos HTML arbitrarios, incluyendo manejadores de eventos, en etiquetas renderizadas por SSR. Este es el composable que la documentación de Nuxt recomienda para manejar de forma segura contenido generado por el usuario. La función acceptDataAttrs (safe.ts, línea 16-20) permite cualquier clave de propiedad que comience con 'data-' hasta el HTML final. Solo verifica el prefijo, no si la clave contiene espacios u otros caracteres que rompen el análisis de atributos HTML. Esta vulnerabilidad está corregida en la 2.1.11.

12 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-12 18:16

Updated : 2026-03-16 17:56

NVD link : CVE-2026-31860

Mitre link : CVE-2026-31860

CVE.ORG link : CVE-2026-31860

JSON object : View

Products Affected

unjs

unhead

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

6.1 /10