CVE-2026-31860
HTML Attribute Injection in Unhead useHeadSafe() Allows XSS
Publication date: 2026-03-12
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unjs | unhead | to 2.1.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2026-31860 is a cross-site scripting (XSS) vulnerability in the useHeadSafe() function of the unhead npm package (versions up to 2.1.10). This function is recommended by Nuxt for safely handling user-generated content in server-side rendered <head> tags.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because the acceptDataAttrs function allows any HTML attribute key starting with "data-" without properly validating the entire attribute name. It only checks the prefix but does not restrict spaces or other characters that can break HTML attribute parsing.'}, {'type': 'paragraph', 'content': 'As a result, an attacker can inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. For example, by injecting a malicious attribute with spaces and an event handler, the browser interprets the event handler as a separate attribute, enabling execution of arbitrary JavaScript.'}, {'type': 'paragraph', 'content': 'This vulnerability is fixed in version 2.1.11 by validating attribute names against a strict regular expression that only allows legal HTML attribute characters.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to persistent cross-site scripting (XSS) attacks in applications using the vulnerable unhead package versions. An attacker can inject malicious HTML attributes with event handlers into the <head> section of server-side rendered pages.
Such injection can cause arbitrary JavaScript code to execute in the context of users visiting the affected pages, potentially leading to session hijacking, data theft, or other malicious actions.
A realistic attack scenario involves a Nuxt application that accepts SEO metadata from a CMS or user input. If the input is not sanitized properly, the attacker can inject malicious attributes that trigger JavaScript execution on every page load.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the server-side rendered HTML <head> tags for injected arbitrary HTML attributes, especially those starting with "data-" that contain spaces or event handlers such as onload or onclick.'}, {'type': 'paragraph', 'content': 'A practical way to detect this is to review the SSR output of your Nuxt application for suspicious attributes in <link>, <meta>, or other <head> tags that include event handlers injected via malformed data-* attributes.'}, {'type': 'paragraph', 'content': 'You can use commands like curl or wget to fetch the rendered HTML and grep for suspicious patterns. For example:'}, {'type': 'list_item', 'content': "curl -s https://your-nuxt-app.example.com | grep -E 'data-[^=]*\\s(onload|onclick|onerror)='"}, {'type': 'list_item', 'content': "curl -s https://your-nuxt-app.example.com | grep -E '<link|<meta' | grep 'data-'"}, {'type': 'paragraph', 'content': 'Additionally, reviewing the source code or configuration for usage of useHeadSafe() with user-generated content and checking the version of the unhead package can help identify vulnerable deployments.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the unhead package to version 2.1.11 or later, where the vulnerability is fixed by validating attribute names against a strict regular expression to prevent injection of malformed attributes.
If upgrading is not immediately possible, avoid passing user-generated content directly to useHeadSafe() without sanitizing attribute names to ensure they do not contain spaces or illegal characters.
Review and sanitize any SEO metadata or user input that is used to generate <head> tags to prevent injection of malicious attributes.
Monitor your application for suspicious behavior such as unexpected JavaScript execution triggered by injected event handlers in <head> tags.