CVE-2026-39315

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in...

Cross-site Scripting (XSS)

Overview unhead is a Full-stack manager built for any framework. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the streamKey configuration parameter on the streaming server-side. An attacker can execute arbitrary JavaScript code in the context of the rendered pa...

@unhead/angular (>=3.0.0 <=3.0.0-rc.4), @unhead/react (>=3.0.0 <=3.0.0-rc.4) +4 more potentially affected by unknown CVE via unhead (>=3.0.0-beta.5 <=3.0.0)

unhead NPM version =3.0.0-beta.5, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0-rc.4 Source cves: unknown CVE Source advisory: SNYK:JS-UNHEAD-15989796...

unhead: Streaming SSR `streamKey` injected into inline script without identifier validation

Summary createStreamableHead streamKey interpolated its streamKey argument directly into the streaming SSR bootstrap and suspense-chunk inline scripts without identifier validation or escaping. If an application forwards untrusted data into that configuration value, the rendered scripts become a...

@unhead/angular (>=3.0.0 <=3.0.0-rc.4), @unhead/react (>=3.0.0 <=3.0.0-rc.4) +4 more potentially affected by unknown CVE via unhead (>=3.0.0-beta.5 <=3.0.0)

unhead NPM version =3.0.0-beta.5, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0, =3.0.0-rc.4 Source cves: unknown CVE Source advisory: OSV:GHSA-X7MM-9VVV-64W8...

GHSA-95H2-GJ7X-GX9W Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()

EVIDENCE | Disclosed to Vercel H1 | 2026-03-22 no response after 12 days | | Cross-reported here | 2026-04-03 | --- Summary useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol functio...

Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()

EVIDENCE | Disclosed to Vercel H1 | 2026-03-22 no response after 12 days | | Cross-reported here | 2026-04-03 | --- Summary useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol functio...

@4verburga/alpine-spanishplus (>=1.6.6 <=3.0.2), @4xeverburga/alpine-spanishplus (>=3.0.1 <=3.1.1-dev.f2f6949) +525 more potentially affected by CVE-2026-39315 via unhead (>=0.0.1 <=2.1.12)

unhead NPM version =0.0.1, =1.6.6, =3.0.1, =1.0.0, =0.1.0, =0.5.0, =0.8.15, =1.0.1, =0.1.8, =0.0.2, =0.2.305, =0.1.1, =0.9.1, =1.1.1, =2.1.1 and more Source cves: CVE-2026-39315 Source advisory: OSV:GHSA-95H2-GJ7X-GX9W...

Incomplete List of Disallowed Inputs

Overview org.webjars.npm:unhead is a Full-stack manager built for any framework. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the hasDangerousProtocol function though the usage of HtmlEntityHex and HtmlEntityDec RegExp. An attacker can inject malicio...

Incomplete List of Disallowed Inputs

Overview unhead is a Full-stack manager built for any framework. Affected versions of this package are vulnerable to Incomplete List of Disallowed Inputs in the hasDangerousProtocol function though the usage of HtmlEntityHex and HtmlEntityDec RegExp. An attacker can inject malicious URIs into the...

@saasmakers/ui (>=0.1.88 <=0.1.117), @styleframe/app (>=0.0.1 <=0.1.1) +13 more potentially affected by CVE-2026-39315 via unhead (>=2.0.0-alpha.0 <=2.1.12)

unhead NPM version =2.0.0-alpha.0, =0.1.88, =0.0.1, =1.1.0, =2.0.0, =2.0.0, =2.0.0-alpha.0, =2.0.0, =2.0.0, =2.0.0, =1.2.0, =0.0.2, =0.17.0, =2.0.0-alpha.8, =0.1.0-beta.10, =0.1.0-beta.14 Source cves: CVE-2026-39315 Source advisory: SNYK:JS-UNHEAD-15965923...

org.webjars.npm:unhead__vue (>=1.11.20 <=2.1.10), org.webjars.npm:vueuse__head (=1.0.22) potentially affected by CVE-2026-39315 via org.webjars.npm:unhead (>=1.11.20 <=2.1.10)

org.webjars.npm:unhead MAVEN version =1.11.20, =1.11.20, =2.1.10 - org.webjars.npm:vueusehead =1.0.22 Source cves: CVE-2026-39315 Source advisory: SNYK:JAVA-ORGWEBJARSNPM-15965924...

CVE-2026-39315

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol function in packages/unhead/src/plugins/safe.ts decodes HTML...

CVE-2026-39315 Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol function in packages/unhead/src/plugins/safe.ts decodes HTML...

CVE-2026-39315

Unhead (document head/template manager) contains a vulnerability in useHeadSafe() where hasDangerousProtocol() decodes HTML entities before blocked-scheme checks. The decoder uses two fixed-width regexes; HTML5 allows leading zeros in numeric character references, and when a padded entity exceeds...

CVE-2026-39315

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in...

CVE-2026-39315 Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol function in packages/unhead/src/plugins/safe.ts decodes HTML...

unhead 安全漏洞

Unhead is a document header and template manager open source by UnJS. Versions of Unhead prior to 2.1.13 contained security vulnerabilities; these vulnerabilities stemmed from regular expression restrictions during the decoding of HTML entities, which could lead to cross-site scripting attacks...

PT-2026-31676

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol function in packages/unhead/src/plugins/safe.ts decodes HTML...

CVE-2026-31873

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe safe.ts uses String.includes, which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes'data...