CVE-2026-39315
- EPSS 0.05%
- Veröffentlicht 09.04.2026 18:17:01
- Zuletzt bearbeitet 14.04.2026 20:07:35
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in <head> safely. Internally, the hasDangerousProtocol() function...
CVE-2026-31873
- EPSS 0.01%
- Veröffentlicht 12.03.2026 17:20:35
- Zuletzt bearbeitet 16.03.2026 17:57:01
Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/c...
CVE-2026-31860
- EPSS 0.01%
- Veröffentlicht 12.03.2026 17:18:20
- Zuletzt bearbeitet 16.03.2026 17:56:34
Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely ha...