Intel

AIKIDO-2026-463850

unhead is vulnerable to Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

61

Medium Risk

This Affects:

JSunhead
3.0.0 - 3.1.6
Fixed in 3.1.7
Are you affected? Scan for Free

TL;DR

The server-side head rendering pipeline in unhead interpolates attribute names directly into HTML without validating them, so a key containing spaces, quotes, or angle brackets can terminate the intended attribute and inject additional HTML attributes such as event handlers. The useHeadSafe() guard, which is recommended for untrusted content, only blocks exact single-token rel values and does not re-check link href after template-parameter substitution, allowing multi-token rel values and substituted dangerous URIs to slip through. Duplicate attributes were also not collapsed with browser first-value semantics during template extraction, letting an inert tag be rewritten into an active one. The fix rejects invalid attribute names in normalization and serialization, preserves first-duplicate attribute semantics, and revalidates rel token lists and href values after resolution.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application renders untrusted or user-controlled values into document head tags, including via useHeadSafe().

Background info

unhead is vulnerable to Cross-Site Scripting (XSS) in versions 3.0.0 - 3.1.6.

How to fix this

Upgrade the unhead library to the patch version.