CVE-2026-39315
HTML Entity Decoding Flaw in Unhead Allows XSS via useHeadSafe
Publication date: 2026-04-09
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unjs | unhead | to 2.1.13 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-184 | The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-39315 is a vulnerability in the npm package unhead, specifically in the useHeadSafe() composable used to safely render user-supplied content in the HTML <head>. The issue arises because the internal function that detects dangerous URI schemes (like javascript:, data:, vbscript:) decodes HTML entities using regular expressions with fixed digit limits. However, the HTML5 specification allows numeric character references with unbounded leading zeros and digit lengths.
When an attacker supplies padded numeric character references exceeding these fixed digit caps, the decoder fails to decode them, leaving the entity encoded in the string. This causes the dangerous URI scheme check to miss these cases, allowing the raw unsafe value to be written directly into server-side rendered HTML. Browsers then decode these padded entities natively, reconstructing the dangerous URI and enabling Cross-Site Scripting (XSS) attacks.
How can this vulnerability impact me? :
This vulnerability can lead to Cross-Site Scripting (XSS) attacks by allowing attackers to inject dangerous URI schemes such as javascript: or data: into server-side rendered HTML output. Although immediate script execution from certain tags like <link> may not occur automatically, downstream application code that reads or forwards these unsafe values (e.g., SEO tools, head management libraries, icon previewers) can trigger script execution.
Additionally, browsers like Chrome 146+ allow data: URIs in iframes, which can be exploited to execute scripts when such URIs are loaded by downstream consumers. This breaks the security guarantees of useHeadSafe(), exposing applications to SSR XSS and potentially stored XSS if navigation attributes are whitelisted in the future.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the injection of dangerous URI schemes (e.g., javascript:, data:) encoded as padded numeric character references in HTML entities within server-side rendered HTML output. Detection involves inspecting SSR HTML output or network traffic for suspicious URI schemes encoded with leading-zero padded numeric character references.
You can detect potential exploitation by searching for encoded dangerous schemes in HTML content, for example, by looking for patterns like : or : which decode to colon (:), used in javascript: or data: URIs.
- Use command-line tools like grep or curl to fetch and scan HTML output for suspicious padded numeric entities in href or src attributes.
- Example command to scan a local HTML file or SSR output for padded numeric entities in href attributes: grep -E 'href="[^"]*�{5,}[0-9]+;' filename.html
- Example command to scan live HTTP responses for suspicious patterns: curl -s http://yourserver | grep -E 'href="[^"]*�{5,}[0-9]+;'
Note that these commands look for numeric character references with multiple leading zeros, which are indicators of the vulnerability exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade the unhead package to version 2.1.13 or later, where the vulnerability is fixed by removing restrictive digit caps in the HTML entity decoding regexes.
Until the upgrade is applied, avoid using the vulnerable useHeadSafe() composable with untrusted user input, as it can lead to Cross-Site Scripting (XSS) via padded numeric character references.
- Upgrade unhead to version 2.1.13 or later.
- Audit and sanitize any user-supplied content rendered in the <head> section to ensure no dangerous URI schemes are present.
- Implement additional input validation or output encoding on user inputs that may be rendered in SSR HTML.
These steps will help prevent attackers from injecting dangerous URI schemes via padded numeric character references and mitigate the risk of SSR XSS.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-39315 allows attackers to inject dangerous URI schemes such as javascript: and data: into server-side rendered HTML output via padded numeric character references, leading to Cross-Site Scripting (XSS) vulnerabilities.
Such XSS vulnerabilities can lead to unauthorized access to sensitive user data, session hijacking, and data leakage, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and health information.
Therefore, this vulnerability undermines the security guarantees of applications using the affected unhead versions, potentially causing non-compliance with standards mandating secure handling of user data and protection against injection attacks.