XSS in Unjs Unhead

CVE-2026-31873

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (5.7th percentile) — read the EPSS interpretation.