{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39315", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T19:31:07.266Z", "datePublished": "2026-04-09T17:54:07.488Z", "dateUpdated": "2026-04-09T17:54:07.488Z"}, "containers": {"cna": {"title": "Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()", "problemTypes": [{"descriptions": [{"cweId": "CWE-184", "lang": "en", "description": "CWE-184: Incomplete List of Disallowed Inputs", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w"}, {"name": "https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299", "tags": ["x_refsource_MISC"], "url": "https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299"}, {"name": "https://github.com/unjs/unhead/releases/tag/v2.1.13", "tags": ["x_refsource_MISC"], "url": "https://github.com/unjs/unhead/releases/tag/v2.1.13"}], "affected": [{"vendor": "unjs", "product": "unhead", "versions": [{"version": "< 2.1.13", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:54:07.488Z"}, "descriptions": [{"lang": "en", "value": "Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13."}], "source": {"advisory": "GHSA-95h2-gj7x-gx9w", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13."}], "id": "CVE-2026-39315", "lastModified": "2026-04-09T18:17:01.433", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T18:17:01.433", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299"}, {"source": "security-advisories@github.com", "url": "https://github.com/unjs/unhead/releases/tag/v2.1.13"}, {"source": "security-advisories@github.com", "url": "https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-184"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.13)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "unhead", "source": "cna", "vendor": "unjs"}, "product": "unhead", "vendor": "unjs"}], "analysis": {"en": {"generated_at": "2026-04-09T19:20:59.233411+00:00", "value": {"mitigation_remediation": ["Upgrade unhead to version 2.1.13 or later.", "Review application code to ensure that any data inserted into the document head uses useHeadSafe() or a similar sanitization method.", "Reproduce common head injection scenarios to confirm that malicious JavaScript cannot execute after the upgrade."], "summary": {"action": "Immediate Patch", "impact": "Script Execution in Document Head"}, "threat_synthesis": {"affected_systems": "The affected product is Unhead, an open\u2011source document head and template manager maintained by unjs. Any installation of Unhead older than version 2.1.13 is vulnerable. Organizations that embed Unhead in their Nuxt or other JavaScript applications, especially those that pass user-supplied content to the head via the recommended useHeadSafe composable, are impacted. The vulnerability is present in the packages/unhead/src/plugins/safe.ts file, and all users of versions prior to v2.1.13 should update. No specific vendor or OS versions are mentioned beyond the Unhead package itself.", "description_and_impact": "Unhead is a document head and template manager used in Nuxt applications. The vulnerability resides in the useHeadSafe composable, which is intended to safely render user-supplied content into the <head> section. Internally, a hasDangerousProtocol() function decodes HTML entities and then checks for blocked URI schemes such as javascript:, data:, and vbscript:. Because the decoder uses a fixed-width regular expression, a leading-zero padded numeric character reference that exceeds the regex limit is silently skipped. Consequently, the undecoded string is passed to a startsWith('javascript:') check, which fails to match. When the sanitized head element is written to the server-side rendered HTML, the browser parses the embedded entity and resolves it to a blocked URI, resulting in the execution of arbitrary JavaScript in the context of the page. This flaw effectively allows a stored or reflected cross-site scripting attack that can be used to hijack the user session, steal cookies, or perform other malicious actions within the application. The weakness is classified as CWE-184, Processing Data DoS via Processing of Malformed or Improperly Encoded Data.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity. No EPSS score is available, and the issue is not listed in CISA\u2019s KEV catalog, suggesting it has not yet been widely exploited in the wild. The likely attack vector is remote: an attacker who can inject content into the <head> of a page\u2014such as through an unauthenticated form, CMS input, or API payload\u2014may supply a single leading\u2011zero padded numeric entity (for example &#0123;) to bypass useHeadSafe. In a browser, this entity expands to a javascript: URI that is not sanitized, allowing arbitrary JavaScript to execute with the page\u2019s privileges. Because the exploit requires only that the vulnerable application render untrusted data in the document head, it is relatively easy to trigger in any context where the application trusts user input."}}}}, "created": "2026-04-10T08:52:39.517271+00:00", "updated": "2026-04-10T09:31:49.223728+00:00", "vendors": ["unjs", "unjs$PRODUCT$unhead"]}