CVE-2026-31860 is a cross-site scripting vulnerability classified under CWE-79 affecting the unhead package, a document head and template manager commonly used in SSR frameworks such as Nuxt. The vulnerability exists in versions prior to 2.1.11 due to improper input neutralization during web page generation. Specifically, the useHeadSafe() composable, recommended by Nuxt documentation for safely handling user-generated content, can be bypassed to inject arbitrary HTML attributes into SSR-rendered <head> tags. The root cause lies in the acceptDataAttrs function, which permits any attribute key starting with 'data-' to be included in the final HTML without sufficiently validating the entire attribute name. This allows attackers to craft attribute keys containing spaces or special characters that disrupt HTML attribute parsing, enabling injection of event handlers or malicious scripts. Since the <head> element is rendered server-side, this can lead to persistent XSS attacks affecting all users viewing the page. The vulnerability requires no privileges or authentication but does require user interaction, such as visiting a maliciously crafted page. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, but user interaction needed. No known exploits have been reported in the wild as of publication. The issue was addressed and fixed in unhead version 2.1.11 by improving attribute validation to prevent injection of malformed or malicious attributes.

This vulnerability enables attackers to perform cross-site scripting attacks by injecting arbitrary HTML attributes and event handlers into the <head> section of SSR-generated pages. Successful exploitation can lead to execution of malicious scripts in the context of the affected website, potentially resulting in session hijacking, credential theft, defacement, or delivery of malware to users. Organizations using unhead versions prior to 2.1.11 in their SSR frameworks, especially those handling user-generated content in the document head, are at risk. The impact is significant for websites relying on unhead for safe content injection, as it undermines the trust boundary between user input and rendered HTML. Although no known exploits are currently reported, the vulnerability's presence in a widely used composable recommended by Nuxt documentation increases the likelihood of future exploitation attempts. The medium severity score indicates moderate risk, but the potential for persistent XSS in high-traffic web applications elevates the importance of timely remediation. Exploitation requires user interaction, limiting automated mass exploitation but still posing a threat to end users. Organizations with public-facing SSR applications leveraging unhead should consider this a priority vulnerability to address.

The primary mitigation is to upgrade the unhead package to version 2.1.11 or later, where the vulnerability is fixed by enhanced validation of attribute keys in acceptDataAttrs. Until upgrading is possible, organizations should audit their use of useHeadSafe() and avoid passing untrusted user input directly to it, especially input that could contain spaces or special characters in attribute names. Implement additional server-side input validation or sanitization to restrict attribute keys to a safe whitelist beyond just the 'data-' prefix. Employ Content Security Policy (CSP) headers to restrict script execution and reduce the impact of potential XSS attacks. Monitor application logs and user reports for suspicious activity indicative of exploitation attempts. Educate developers on the risks of improper attribute injection in SSR contexts and encourage secure coding practices when handling user-generated content. Finally, conduct thorough security testing, including automated scanning and manual code review, to detect similar injection flaws in related components.