CVE-2026-31860
Unhead has a XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. This vulnerability is fixed in 2.1.11.
| CWE | CWE-79 |
| Vendor | unjs |
| Product | unhead |
| Published | Mar 12, 2026 |
| Last Updated | Mar 13, 2026 |
Stay Ahead of the Next One
Get instant alerts for unjs unhead
Be the first to know when new unknown vulnerabilities affecting unjs unhead are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
unjs / unhead
< 2.1.11