CVE-2026-39315: Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends f...

Description

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13.

Metrics

CVSS 3.1

6.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

EPSS Probability

0.29%

20.2th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-184

Affected Software

Vendor	Product	Versions
Unjs	Unhead	< 2.1.13

References

https://github.com/unjs/unhead/commit/961ea781e091853812ffe17f8cda17105d2d2299Patch
https://github.com/unjs/unhead/releases/tag/v2.1.13Product, Release Notes
https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9wExploit, Mitigation, Vendor Advisory
https://github.com/unjs/unhead/security/advisories/GHSA-95h2-gj7x-gx9wExploit, Mitigation, Vendor Advisory

Timeline

Published: Apr 9, 2026
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2026-39315?

Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes the raw value directly into SSR HTML output. The browser's HTML parser decodes the padded entity natively and constructs the blocked URI. This vulnerability is fixed in 2.1.13.

How severe is CVE-2026-39315?

CVE-2026-39315 has a CVSS score of 6.1/10 (MEDIUM severity). The EPSS model estimates a 0.29% probability of exploitation in the next 30 days.

How do I fix CVE-2026-39315?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.