Vulnerability in Unhead Document Head and Template Manager by Unjs
CVE-2026-39315

6.1MEDIUM

Key Information:

Vendor

Unjs

Status
Unhead
Vendor
CVE Published:
9 April 2026

What is CVE-2026-39315?

The Unhead document head and template manager prior to version 2.1.13 contains a vulnerability related to the 'useHeadSafe()' composable. This vulnerability arises from the processing of user-supplied content in tags. Specifically, the 'hasDangerousProtocol()' function decodes HTML entities before verifying blocked URI schemes. Due to a limitation in the regular expressions used for decoding, leading zeros in numeric character references can bypass the intended security checks, allowing potentially malicious JavaScript to execute when the browser parses unfiltered content. The vulnerability is addressed in version 2.1.13.

Affected Version(s)

unhead < 2.1.13

References

https://github.com/unjs/unhead/security/advisories/GHSA-9...
x_refsource_CONFIRM
https://github.com/unjs/unhead/commit/961ea781e091853812f...
x_refsource_MISC
https://github.com/unjs/unhead/releases/tag/v2.1.13
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.