Skip to main content

Unhead CVE-2026-39315

| EUVDEUVD-2026-20992 MEDIUM
Incomplete List of Disallowed Inputs (CWE-184)
2026-04-09 GitHub_M GHSA-95h2-gj7x-gx9w
6.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 10, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 09, 2026 - 18:15 euvd
EUVD-2026-20992
Analysis Generated
Apr 09, 2026 - 18:15 vuln.today
CVE Published
Apr 09, 2026 - 17:54 nvd
MEDIUM 6.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 npm packages depend on unhead (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.1.13.

DescriptionGitHub Advisory

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13.

AnalysisAI

Unhead's useHeadSafe() composable, explicitly recommended by Nuxt documentation for safely rendering user-supplied content in document head, can be bypassed via padded HTML numeric character references that exceed regex digit limits. The hasDangerousProtocol() function silently fails to decode these entities, allowing blocked URI schemes (javascript:, data:, vbscript:) to pass validation; browsers then natively decode the padded entity during HTML parsing, enabling cross-site scripting (XSS) attacks. This affects Unhead versions prior to 2.1.13, with no confirmed active exploitation or public exploit code identified at time of analysis.

Technical ContextAI

Unhead is a head and template management library used by Nuxt applications. The vulnerability exploits a mismatch between server-side entity decoding logic and browser-side HTML parsing. The hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts uses fixed-width regex digit caps to decode HTML numeric character references (both decimal and hexadecimal), but the HTML5 specification permits unlimited leading zeros in these references (e.g., &#0000000106&#0000000097&#0000000118&#0000000097&#0000000115&#0000000099&#0000000114&#0000000105&#0000000112&#0000000116:). When a padded entity exceeds the regex digit cap, the decoder silently returns the original string unchanged. The makeTagSafe() function then writes this undecoded string directly into SSR HTML output. The browser's native HTML parser later decodes the padded entity according to HTML5 rules and constructs the dangerous URI, bypassing the server-side check. This is a classic encoding-validation bypass (CWE-184: Incomplete List of Disallowed Inputs).

RemediationAI

Vendor-released patch: Upgrade to Unhead version 2.1.13 or later. This version corrects the hasDangerousProtocol() function to properly handle padded numeric character references with unlimited leading zeros. The fix is available at https://github.com/unjs/unhead/releases/tag/v2.1.13. For Nuxt applications, update the unhead dependency in package.json to >=2.1.13 and reinstall dependencies. No workaround is available for earlier versions; patching is the recommended remediation. The upstream fix is documented in commit 961ea781e091853812ffe17f8cda17105d2d2299 at https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299.

Share

CVE-2026-39315 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy