Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Nuxt: User-generated content can inject malicious HTML into page head
GHSA-g5xx-pwrp-g3fv
CVE-2026-31860
Summary
Nuxt's useHeadSafe function can be tricked into allowing malicious HTML attributes in the page head, potentially allowing attackers to inject script code. This can happen when user-generated content is not properly sanitized. To fix this, use a secure method to handle user-generated content.
What to do
- Update unhead to version 2.1.11.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | unhead | <= 2.1.10 | 2.1.11 |
Original title
Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is ...
Original description
Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. This vulnerability is fixed in 2.1.11.
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
Published: 12 Mar 2026 · Updated: 14 Mar 2026 · First seen: 12 Mar 2026