AIKIDO-2026-10348
unhead is vulnerable to Cross-Site Scripting
75
High Risk
This Affects:
unheadTL;DR
Affected versions of this package are affected by a cross-site scripting (XSS) vulnerability in the useHeadSafe() functionality. The implementation allows arbitrary data-* attribute names to pass validation without properly sanitizing the attribute key. Because attribute keys are later interpolated directly into server-side rendered HTML, an attacker can inject spaces into the attribute name to break out of the intended attribute and introduce additional HTML attributes such as event handlers. When a Nuxt application renders these tags in the <head>, malicious attributes (e.g., onload) may execute in the victim’s browser. This could allow an attacker to inject and execute arbitrary JavaScript when user-controlled metadata is processed using useHeadSafe().
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
unhead is vulnerable to Cross-Site Scripting in versions 0.0.1 - 2.1.10.
How to fix this
Upgrade the unhead library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant