🌐
Exploit-DB
exploit-db.com › exploits › 52141
jQuery 3.3.1 - Prototype Pollution & XSS Exploit - Multiple webapps Exploit
April 8, 2025 - Load vulnerable jQuery (version 3.3.1) const script = document.createElement('script'); script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"; document.head.appendChild(script); // 2. Function to execute after jQuery is loaded script.onload = function() { console.log("[+] Vulnerable jQuery loaded!"); // 3. Inject malicious content for XSS (CVE-2020-7656) const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script> $('body').append(maliciousContent); console.log("[+] XSS payload (CVE-2020-7656) injected. Alert will be displayed."); // 4. Exploit Prototype Pollution (CVE-2019-11358) const defaultConfig = { "backLink": "<a href='https://example.com'>Go Back</a>" }; const maliciousParams = { "__proto__": { "backLink": "<svg onload=alert('XSS via CVE-2019-11358: Prototype Pollution!')>" } }; // 5.
🌐
TrustedSec
trustedsec.com › home › blog › everything you need to know about jquery and its vulnerabilities
TrustedSec | Everything You Need to Know About jQuery and its…
March 19, 2025 - In summary, in order to exploit jQuery to the point where you can run your own JavaScript code, you must have control of a parameter that is being passed into one of the identified vulnerable functions.
Price   $
Address   3485 Southwestern Boulevard, 44333, Fairlawn
Videos
24:16
🌐 YouTube
DOM XSS in jQuery Selector Sink - YouTube
February 6, 2023
27.5K
22:49
🌐 YouTube
DOM XSS in jQuery Selector Sink using a Hashchange Event - YouTube
January 23, 2023
10:47
🌐 YouTube
XSS - Exploiting Vulnerable JQuery Sink - YouTube
July 3, 2022
32.3K
🌐 facebook.com
Video
00:49
🌐 YouTube
Proof of Concept: CVE-2018-9206 jQuery File Upload RCE - YouTube
December 13, 2018
05:23
🌐 YouTube
10/25/18 JQuery File Upload Vulnerability | AT&T ThreatTraq - YouTube
October 25, 2018
View all
View all
🌐
Twingate
twingate.com › blog › tips › jquery-vulnerabilities
5 jquery Vulnerabilities | Twingate
In this article, we will look at ... to mitigate them. This vulnerability allows attackers to perform XSS attacks by exploiting the way jQuery differentiated selectors from HTML in versions before 1.9.0....
🌐
Snyk
security.snyk.io › snyk vulnerability database › npm
jquery | Snyk
Security vulnerabilities and package health score for npm package jquery
🌐
CVE Details
cvedetails.com › vulnerability-list › vendor_id-6538 › Jquery.html
Jquery : Security vulnerabilities, CVEs
In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
🌐
Exploit-DB
exploit-db.com › exploits › 49766
jQuery 1.2 - Cross-Site Scripting (XSS) - Multiple webapps Exploit
April 14, 2021 - # Exploit Title: jQuery 1.2 - Cross-Site Scripting (XSS) # Date: 04/29/2020 # Exploit Author: Central InfoSec # Version: jQuery versions greater than or equal to 1.2 and before 3.5.0 # CVE : CVE-2020-11022 # Proof of Concept 1: <option><style></option></select><img src=x onerror=alert(1)></style>
🌐
HeroDevs
herodevs.com › blog-posts › jquery-the-silent-security-crisis-in-open-source-and-how-to-fix-it-in-minutes
HeroDevs Blog | jQuery: The Silent Security Crisis in Open Source (And How to Fix It in Minutes)
This vulnerability allows attackers to inject malicious scripts into web pages by exploiting how jQuery processes user input in event handlers.
🌐
Adobe
experienceleague.adobe.com › en › docs › experience-cloud-kcs › kbarticles › ka-27176
JQuery UI security vulnerability CVE-2022-31160 fix for 2.4.4, 2.4.5, and 2.4.6 releases | Adobe Commerce
February 4, 2026 - There is a security vulnerability CVE-2022-31160 reported for jQuery-UI library version 1.13.1 which is used as a dependency in Adobe Commerce 2.4.4, 2.4.5, and 2.4.6. Adobe is not aware of any exploits for this issue.
🌐
HackerOne
hackerone.com › reports › 211149
Gratipay disclosed on HackerOne: Inadequate/dangerous jQuery behavior
Every text/javascript response gets executed. JQuery 1.10.2 is vulnerable and executes response received. https://assets.gratipay.com/jquery.min.js?etag=YoBy5yEtsejNrLIrIXUs2g~~ https://github.com/jquery/jquery/issues/2432
Find elsewhere
🌐
The Hacker News
thehackernews.com › home › cisa adds five-year-old jquery xss flaw to exploited vulnerabilities list
CISA Adds Five-Year-Old jQuery XSS Flaw to Exploited Vulnerabilities List
January 25, 2025 - The medium-severity vulnerability is CVE-2020-11023 (CVSS score: 6.1/6.9), a nearly five-year-old cross-site scripting (XSS) bug that could be exploited to achieve arbitrary code execution. "Passing HTML containing <option> elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e.
🌐
GitHub
github.com › cve-sandbox › jquery
GitHub - cve-sandbox/jquery: CVE Collection of jQuery XSS Payloads · GitHub
CVE Collection of jQuery XSS Payloads · Maintained by @therceman · CVE · Version · Details · CVE-2020-11023 · >= 1.5.1 < 3.5.0 · View on Snyk · CVE-2020-11022 · >= 1.5.1 < 3.5.0 · View on Snyk · CVE-2019-11358 · >= 1.0.0 < 3.4.0 ·
Starred by 75 users
Forked by 11 users
Languages   HTML
🌐
CISA
cisa.gov › news-events › alerts › 2025 › 01 › 23 › cisa-adds-one-known-exploited-vulnerability-catalog
CISA Adds One Known Exploited Vulnerability to Catalog | CISA
January 23, 2025 - CISA has added one new vulnerability to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2020-11023 JQuery Cross-Site Scripting (XSS) Vulnerability
🌐
Rapid7
rapid7.com › db › vulnerabilities › jquery-cve-2019-11358
jQuery Vulnerability: CVE-2019-11358
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.
🌐
Outpost24
outpost24.com › home › blog › how to find and fix jquery vulnerabilities
How to find and fix jQuery vulnerabilities
November 10, 2025 - As we mentioned earlier, running outdated versions of jQuery can invite cross-site scripting – or XSS – vulnerabilities in your web applications. These vulnerabilities, rather than impact an application itself, instead impact a website’s users by injecting malicious content. Exploitation methods allow bad actors to compromise user identities stored in an application and redirect website traffic.
🌐
CVE Details
cvedetails.com › product › 11031 › Jquery-Jquery.html
Jquery Jquery security vulnerabilities, CVEs, versions and CVE reports
Jquery Jquery security vulnerabilities, CVEs, exploits, metasploit modules, vulnerability statistics and list of versions
🌐
SonicWall
sonicwall.com › blog › jquery-plugin-vulnerability-actively-exploited-for-few-years
jQuery plugin vulnerability actively exploited for few years
A widely used jQuery plugin, ‘jQuery-File-Upload’, also called Blueimp contains a critical vulnerability that allows attackers to perform remote code execution. This vulnerability has been in existence for several years and potentially places ...
🌐
Tenable
tenable.com › plugins › was › 112383
jQuery 1.2.0 < 3.5.0 Cross-Site Scripting<!-- --> | Tenable®
According to its self-reported version number, jQuery is at least 1.2.0 and prior to 3.5.0. Therefore, it may be affected by a cross-site scripting vulnerability via the regex operation in jQuery.htmlPrefilter.
🌐
Tenable
tenable.com › plugins › nessus › 182682
JQuery < 3.5.0 XSS<!-- --> | Tenable®
October 6, 2023 - In JQuery version greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of JQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
🌐
GitHub
github.com › jquery › jquery › discussions › 5062
JQuery 3.6.0 vulnerability · jquery/jquery · Discussion #5062
"jQuery contains commented references to the hijacked domain blindsignals, within the files src/queue/delay.js and test/data/jquery-1.9.1.js (the former referring to a Web Archive version of the original site).
Author   jquery
🌐
Stack Exchange
security.stackexchange.com › questions › 209103 › how-to-exploit-publicy-known-vunerable-version-of-jquery
xss - How to exploit publicy known vunerable version of jquery? - Information Security Stack Exchange
Top answer
1 of 2
10

One important distinction to make here is that only because the jQuery library contains known vulnerabilities, it does not mean that the website is vulnerable to the contained vulnerability.

As with many libraries, a website using jQuery will only be affected by a vulnerability if it uses the vulnerable function in a vulnerable way. If it does not use the functionality at all, the issues will not be exploitable. They might become exploitable if the used functionality on the website changes.

Looking for example at the mentioned jQuery 2.1.1. This version is, according to the site http://research.insecurelabs.org/jquery/test/ vulnerable to

  • jQuery issue 2432 - 3rd party $.get() auto executes if content type is text/javascript
  • jQuery issue 11974 - parseHTML executes inline scripts like event handlers

The first issue (https://github.com/jquery/jquery/issues/2432) can be exploited only if the vulnerable site uses $.get() for a URL that returns a response that can be influenced by you. If you cannot control the URL or the content, only a theoretical threat exists. The website owner of the site where the URL points could theoretically execute an XSS attack against the site that uses the vulnerable jQuery version in the mentioned way.

The second issue (https://bugs.jquery.com/ticket/11974) can only be exploited if the website uses the function $.parseHTML() and you can influence the input to that function. If it does not use the function in the described way, you cannot exploit the issue.

To wrap things up:
If you see the message "Vulnerable version of the library jquery" you will have to look at the JavaScript code that is actually used by the website and identify if it uses the vulnerable functions in a way that can be exploited by you. If it doesn't, you cannot create a proof of concept exploit or exploit the vulnerability.

2 of 2
2

Further to Denis's excellent answer it is also worth clarifying that an attacker needs to be able to control the inputs to the vulnerable functions when a "victim's" machine is visiting the site.

If, for example, there is a textbox on a webpage and when the user hits "Submit" the contents of that textbox is used as an argument to the $.get() function - that isn't an exploit per se, because the attacker is just executing the vulnerable function on their own machine.

A common attack scenario is a forum-style site where attackers can post content which is then rendered on other visitors' machines (e.g. you are currently reading my content rendered on your machine) - if part of the site's operation involves taking that content, or parts of that content, and passing it into vulnerable functions, then there you have a potential exploit.

Related queries
jquery 3.5.1 exploit github
jquery 1.7.1 exploit
jquery xss payloads
jquery 3.4.1 exploit db
jquery exploit poc
jquery exploit xss
jquery xss example
jquery xss poc