Browse all 5 CVE security advisories affecting unjs. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Unjs is a JavaScript utility library primarily used for data manipulation and DOM operations in web applications. Historically, it has been associated with multiple remote code execution (RCE) vulnerabilities, cross-site scripting (XSS) flaws, and privilege escalation issues, often stemming from improper input validation and insecure deserialization. The library's security posture has been compromised by several critical vulnerabilities, including one that allowed attackers to execute arbitrary code through crafted payloads. With five CVEs recorded, unjs has demonstrated recurring security weaknesses in its core functionality, particularly in handling untrusted data and maintaining proper access controls, making it a potential risk in environments requiring robust security measures.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-39315 | Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe() — unheadCWE-184 | 6.1 | Medium | 2026-04-09 |
| CVE-2026-35209 | defu: Prototype pollution via `__proto__` key in defaults argument — defuCWE-1321 | 7.5 | High | 2026-04-06 |
| CVE-2026-31873 | Unhead has a Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity — unheadCWE-79 | - | - | 2026-03-12 |
| CVE-2026-31860 | Unhead has a XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check — unheadCWE-79 | 7.2AI | HighAI | 2026-03-12 |
| CVE-2025-54387 | IPX is Vulnerable to Path Traversal via Prefix Matching Bypass — ipxCWE-22 | 6.8AI | MediumAI | 2025-08-05 |
This page lists every published CVE security advisory associated with unjs. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.