|
Vulnerabilities
< Back

CVE-2026-31873

Updated on 12 Mar 2026

Severity

6.1 Medium severity

Details

CVSS score
6.1
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE ID
Links
NISTCIRCLRHELUbuntu

Overview

About vulnerability

Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,… is the same as data:text/css,… to the browser, but ‘DATA:…’.includes(‘data:’) returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11.

Details

Affected product:
head , nuxt , unhead
Affected packages:
@nuxt/vite-builder @ 3.2.0 (+28 more)
Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,… is the same as data:text/css,… to the browser, but ‘DATA:…’.includes(‘data:’) returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11.