CVE-2026-31860: Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check

March 12, 2026

useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content.

References

github.com/advisories/GHSA-g5xx-pwrp-g3fv
github.com/unjs/unhead
github.com/unjs/unhead/commit/9ecc4f9568b0e23938f36d4b23fcfa4a18a89045
github.com/unjs/unhead/releases/tag/v2.1.11
github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv
nvd.nist.gov/vuln/detail/CVE-2026-31860

Code Behaviors & Features

Detect and mitigate CVE-2026-31860 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →