Home / Vulnerability Intelligence / CVE-2026-31860

CVE-2026-31860 - Vulnerability Analysis

MediumCVSS: 6.1

Last Updated: March 16, 2026

Unhead - Stored XSS

Published: March 12, 2026Updated: March 16, 2026PoC AvailableRemote Exploitable

Overview

Unhead < 2.1.11 contains a stored XSS caused by improper validation of HTML attribute keys in useHeadSafe(), letting attackers inject arbitrary HTML attributes including event handlers into SSR-rendered <head> tags, exploit requires crafted user-generated content.

Severity & Score

Severity: Medium

CVSS Score: 6.1

Impact

Attackers can inject malicious HTML attributes and event handlers, leading to client-side script execution and potential user session compromise.

Mitigation

Update to version 2.1.11 or later.

References

https://github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv

Related Resources

Details

CVE ID: CVE-2026-31860
Severity: Medium
CVSS Score: 6.1
Type: stored_xss
Status: confirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N