VulnerableCode Package Details - pkg:npm/unhead@2.1.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-4ea6-rues-sygu Aliases: CVE-2026-31873 GHSA-5339-hvwr-7582	Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11.	2.1.11 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-a4h1-nae2-abch Aliases: CVE-2026-39315 GHSA-95h2-gj7x-gx9w	Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13.	2.1.13 Affected by 0 other vulnerabilities.
VCID-uefh-sv4n-2kd4 Aliases: CVE-2026-31860 GHSA-g5xx-pwrp-g3fv	Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. This vulnerability is fixed in 2.1.11.	2.1.11 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-4ea6-rues-sygu
Aliases:
CVE-2026-31873
GHSA-5339-hvwr-7582

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11.

2.1.11
Affected by 1 other vulnerability.

VCID-a4h1-nae2-abch
Aliases:
CVE-2026-39315
GHSA-95h2-gj7x-gx9w

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13.

2.1.13
Affected by 0 other vulnerabilities.

VCID-uefh-sv4n-2kd4
Aliases:
CVE-2026-31860
GHSA-g5xx-pwrp-g3fv

Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. This vulnerability is fixed in 2.1.11.

2.1.11
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:57:40.850702+00:00	GitLab Importer	Affected by	VCID-a4h1-nae2-abch	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/unhead/CVE-2026-39315.yml	38.6.0
2026-06-12T21:27:32.434818+00:00	GitLab Importer	Affected by	VCID-4ea6-rues-sygu	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/unhead/CVE-2026-31873.yml	38.6.0
2026-06-12T21:24:23.575985+00:00	GitLab Importer	Affected by	VCID-uefh-sv4n-2kd4	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/unhead/CVE-2026-31860.yml	38.6.0