Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
0.0
Unhead Allows Malicious CSS Injection via Case-Sensitive URI Scheme Bypass
GHSA-5339-hvwr-7582
CVE-2026-31873
CVE-2026-31873
Summary
The Unhead library may allow attackers to inject malicious CSS code, potentially leading to UI redressing or data theft. To protect against this, update the library to make the URI scheme check case-insensitive. This can be done by converting the link URL to lowercase before checking for 'javascript:' and 'data:' schemes.
What to do
- Update unhead to version 2.1.11.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | unhead | <= 2.1.10 | 2.1.11 |
Original title
Unhead has a Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity
Original description
Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11.
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/unjs/unhead/security/advisories/GHSA-5339-hvwr-7582
- https://github.com/unjs/unhead/releases/tag/v2.1.11
- https://github.com/advisories/GHSA-5339-hvwr-7582
- https://nvd.nist.gov/vuln/detail/CVE-2026-31873
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31873... Vendor Advisory
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026