CVE-2026-39315

MEDIUM EPSS 20.2%
Published Apr 9, 20262mo ago · Modified Jun 17, 20262w ago
6.1 CVSS 3.1
Medium
Find Similar
Published Apr 9, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago

Description

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13.

CVSS Details

Base Score
6.1
Exploitability
2.8
Impact
2.7
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality Low
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
20.2% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-184

Affected Products 1

VendorProductVersionRange
unjsunhead* <2.1.13

References 3

  • github.com https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299
    Patch
  • github.com https://github.com/unjs/unhead/releases/tag/v2.1.13
    ProductRelease Notes
  • github.com https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299
    Patch