CVE-2026-31860

Name of the Vulnerable Software and Affected Versions Unhead versions prior to 2.1.11

Description Unhead is a document head and template manager. Before version 2.1.11, the useHeadSafe() function could be bypassed, allowing the injection of arbitrary HTML attributes, including event handlers, into server-side rendered (SSR) <head> tags. The acceptDataAttrs function, located in safe.ts (lines 16-20), permits any property key starting with 'data-' to be included in the final HTML. It only verifies the prefix, failing to check for spaces or other characters that disrupt HTML attribute parsing. This allows for the injection of malicious code through crafted data-* attributes. A proof-of-concept demonstrates the injection of an onload event handler into a <link> tag, leading to script execution when the stylesheet loads. This issue can be exploited in scenarios where a Nuxt application accepts SEO metadata from a content management system (CMS) or user profile, potentially affecting every page load. The vulnerable component is the acceptDataAttrs function, which is used to process attributes before they are interpolated into the HTML string by the propsToString function.

Recommendations Update Unhead to version 2.1.11 or later.