Case-Sensitive URI Scheme Check in Unhead Document Management System
CVE-2026-31873

NONE

Key Information:

Vendor: Unjs
Status: Unhead
Vendor: CVE Published:; 12 March 2026

What is CVE-2026-31873?

The Unhead document head and template manager has a vulnerability where the check for URI schemes is case-sensitive. This flaw allows attackers to exploit the system by injecting arbitrary CSS for user interface redressing or extracting data through CSS attribute selectors. Given that browsers interpret URI schemes in a case-insensitive manner, an attacker can bypass the security check and craft malicious data URLs with 'DATA:text/css,...', facilitating unauthorized access and data leakage. This vulnerability was remedied in version 2.1.11.

Affected Version(s)

unhead < 2.1.11

References

https://github.com/unjs/unhead/security/advisories/GHSA-5...

x_refsource_CONFIRM

CVSS V3.1

Score:

Severity:

NONE

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 12, 2026
Vulnerability Reserved
Mar 9, 2026

CVE-2026-31873 Data

JSON

Unjs

What is CVE-2026-31873?

Affected Version(s)

References

CVSS V3.1

Timeline