VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-a4h1-nae2-abch

Essentials
Severities (16)
References (7)
Severity details (15)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-a4h1-nae2-abch
Aliases	CVE-2026-39315 GHSA-95h2-gj7x-gx9w
Summary	Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13.
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-184	Incomplete List of Disallowed Inputs
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
epss	0.00089	https://api.first.org/data/v1/epss?cve=CVE-2026-39315
cvssv3.1_qr	MODERATE	https://github.com/advisories/GHSA-95h2-gj7x-gx9w
cvssv3.1	6.1	https://github.com/unjs/unhead
generic_textual	MODERATE	https://github.com/unjs/unhead
cvssv3.1	6.1	https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299
generic_textual	MODERATE	https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299
ssvc	Track	https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299
cvssv3.1	6.1	https://github.com/unjs/unhead/releases/tag/v2.1.13
generic_textual	MODERATE	https://github.com/unjs/unhead/releases/tag/v2.1.13
ssvc	Track	https://github.com/unjs/unhead/releases/tag/v2.1.13
cvssv3.1	6.1	https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w
cvssv3.1_qr	MODERATE	https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w
generic_textual	MODERATE	https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w
ssvc	Track	https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2026-39315
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2026-39315

Reference id	Reference type	URL
		https://api.first.org/data/v1/epss?cve=CVE-2026-39315
		https://github.com/unjs/unhead
		https://nvd.nist.gov/vuln/detail/CVE-2026-39315
961ea781e091853812ffe17f8cda17105d2d2299		https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299
GHSA-95h2-gj7x-gx9w		https://github.com/advisories/GHSA-95h2-gj7x-gx9w
GHSA-95h2-gj7x-gx9w		https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w
v2.1.13		https://github.com/unjs/unhead/releases/tag/v2.1.13

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/unjs/unhead

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:28:38Z/ Found at https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/unjs/unhead/releases/tag/v2.1.13

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:28:38Z/ Found at https://github.com/unjs/unhead/releases/tag/v2.1.13

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-13T15:28:38Z/ Found at https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-39315

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.25405
EPSS Score	0.00089
Published At	June 11, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-11T16:45:58.236690+00:00	Vulnrichment	Import	https://github.com/cisagov/vulnrichment/blob/develop/2026/39xxx/CVE-2026-39315.json	38.6.0