XSS in Unjs Unhead

CVE-2026-31860

Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered <head> tags. This is the composable that Nuxt docs recommend fo…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (5.6th percentile) — read the EPSS interpretation.