HTML Injection Vulnerability in Unhead Document Manager by UnJS
CVE-2026-31860

5.3MEDIUM

Key Information:

Vendor: Unjs
Status: Unhead
Vendor: CVE Published:; 12 March 2026

What is CVE-2026-31860?

The Unhead document manager, developed by UnJS, has a vulnerability that allows attackers to inject arbitrary HTML attributes into the SSR-rendered tags. This critical issue arises from the useHeadSafe() function, which can be bypassed to manipulate the content, thus compromising the integrity of user-generated content. The acceptDataAttrs function on lines 16-20 of safe.ts fails to adequately validate HTML attribute keys, allowing malicious input to exploit the application. This flaw has been resolved in version 2.1.11.

Affected Version(s)

unhead < 2.1.11

References

https://github.com/unjs/unhead/security/advisories/GHSA-g...

x_refsource_CONFIRM

CVSS V4

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31860 Data

JSON

Unjs

What is CVE-2026-31860?

Affected Version(s)

References

CVSS V4

Timeline