CVE-2026-31873

Name of the Vulnerable Software and Affected Versions Unhead versions prior to 2.1.11

Description Unhead is a document head and template manager. The link.href check within the makeTagSafe function (located in safe.ts) utilizes String.includes(), which is case-sensitive. Browsers, however, treat URI schemes in a case-insensitive manner. Specifically, 'DATA:text/css,...' is interpreted the same as 'data:text/css,...' by the browser, but the case-sensitive check 'DATA:...'.includes('data:') returns false. This allows an attacker to inject arbitrary CSS for UI manipulation or data exfiltration through CSS attribute selectors with background-image callbacks. The vulnerable code segment is located on lines 68-71 of safe.ts. An attacker can leverage this to inject CSS, for example, by using a link tag with an href attribute like DATA:text/css,body{display:none}.

Recommendations Versions prior to 2.1.11 should be updated to version 2.1.11 or later. As a temporary workaround, consider modifying the makeTagSafe function in safe.ts to use a case-insensitive comparison for the link.href check, such as converting the value to lowercase using .toLowerCase() before applying the includes() method.