2 matches found
CVE-2026-39315 Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol function in packages/unhead/src/plugins/safe.ts decodes HTML...
CVE-2026-39315
Unhead (document head/template manager) contains a vulnerability in useHeadSafe() where hasDangerousProtocol() decodes HTML entities before blocked-scheme checks. The decoder uses two fixed-width regexes; HTML5 allows leading zeros in numeric character references, and when a padded entity exceeds...