{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31873", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T19:02:25.014Z", "datePublished": "2026-03-12T17:20:35.660Z", "dateUpdated": "2026-03-12T17:46:46.723Z"}, "containers": {"cna": {"title": "Unhead has a Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/unjs/unhead/security/advisories/GHSA-5339-hvwr-7582", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/unjs/unhead/security/advisories/GHSA-5339-hvwr-7582"}], "affected": [{"vendor": "unjs", "product": "unhead", "versions": [{"version": "< 2.1.11", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T17:20:35.660Z"}, "descriptions": [{"lang": "en", "value": "Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11."}], "source": {"advisory": "GHSA-5339-hvwr-7582", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T17:46:23.897133Z", "id": "CVE-2026-31873", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:46:46.723Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31873", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-12T17:46:23.897133Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T17:46:38.920Z"}}], "cna": {"title": "Unhead has a Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity", "source": {"advisory": "GHSA-5339-hvwr-7582", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 0, "attackVector": "NETWORK", "baseSeverity": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "unjs", "product": "unhead", "versions": [{"status": "affected", "version": "< 2.1.11"}]}], "references": [{"url": "https://github.com/unjs/unhead/security/advisories/GHSA-5339-hvwr-7582", "name": "https://github.com/unjs/unhead/security/advisories/GHSA-5339-hvwr-7582", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-12T17:20:35.660Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31873", "state": "PUBLISHED", "dateUpdated": "2026-03-12T17:46:46.723Z", "dateReserved": "2026-03-09T19:02:25.014Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-12T17:20:35.660Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:unjs:unhead:*:*:*:*:*:*:*:*", "matchCriteriaId": "67F3AFEA-7DE2-46CC-AC50-D8B49F57C37E", "versionEndExcluding": "2.1.11", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11."}, {"lang": "es", "value": "Unhead es un gestor de cabeceras de documento y plantillas. Antes de la versi\u00f3n 2.1.11, la comprobaci\u00f3n de link.href en makeTagSafe (safe.ts) utiliza String.includes(), que distingue entre may\u00fasculas y min\u00fasculas. Los navegadores tratan los esquemas URI sin distinguir entre may\u00fasculas y min\u00fasculas. DATA:text/css,... es lo mismo que data:text/css,... para el navegador, pero 'DATA:...'.includes('data:') devuelve falso. Un atacante puede inyectar CSS arbitrario para la manipulaci\u00f3n de la interfaz de usuario o la exfiltraci\u00f3n de datos a trav\u00e9s de selectores de atributos CSS con retrollamadas de background-image. Esta vulnerabilidad se corrige en la versi\u00f3n 2.1.11."}], "id": "CVE-2026-31873", "lastModified": "2026-03-16T17:57:01.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 0.0, "baseSeverity": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 0.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-12T18:16:24.387", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/unjs/unhead/security/advisories/GHSA-5339-hvwr-7582"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.1.11)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "unhead", "source": "cna", "vendor": "unjs"}, "product": "unhead", "vendor": "unjs"}], "analysis": {"en": {"generated_at": "2026-03-17T15:43:29.262084+00:00", "value": {"mitigation_remediation": ["Upgrade unhead to version\u202f2.1.11 or later."], "summary": {"action": "Patch", "impact": "CSS-based XSS or UI Redressing via malformed URI scheme"}, "threat_synthesis": {"affected_systems": "The affected product is unjs\u2019unhead\u2019. Versions prior to 2.1.11 are vulnerable, as the fix was introduced in 2.1.11.", "description_and_impact": "Unhead\u2019s makeTagSafe (safe.ts) validates the `link.href` field by calling `String.includes()` on the scheme string. This method is case\u2011sensitive, whereas browsers treat URI schemes case\u2011insensitively. As a result, an attacker can inject a `DATA:` scheme with mixed case (e.g., `DATA:text/css,\u2026`) that bypasses the check, allowing arbitrary CSS to be applied. The injected CSS may trigger UI redressing or data exfiltration through CSS attribute selectors and background\u2011image callbacks. This flaw is effectively a CSS\u2011based Cross\u2011Site Scripting vulnerability.", "risk_and_exploitability": "The advisory lists an EPSS score of less than 1\u202f% and the vulnerability is not in the CISA KEV catalog, indicating a low exploitation likelihood. Nevertheless, because the flaw enables injection of CSS that can modify page appearance or leak data, it could have serious impact if leveraged by an attacker. The vulnerability can be exploited from client\u2011side code that creates or modifies link tags, so the attack vector is browser\u2011based and requires the attacker to supply crafted markup to a vulnerable instance."}}}}, "created": "2026-03-13T09:50:52.305720+00:00", "updated": "2026-03-20T15:48:50.079946+00:00", "vendors": ["unjs", "unjs$PRODUCT$unhead"]}