jQuery JavaScript Frameworks

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any jQuery product.

RSS Feeds for jQuery security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in jQuery products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by jQuery Sorted by Most Security Vulnerabilities since 2018

jQuery10 vulnerabilities
JavaScript Framework

Jquery Ui6 vulnerabilities

Known Exploited jQuery Vulnerabilities

The following jQuery vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title	Description	Added
JQuery Cross-Site Scripting (XSS) Vulnerability	JQuery contains a persistent cross-site scripting (XSS) vulnerability. When passing maliciously formed, untrusted input enclosed in HTML tags, JQuery's DOM manipulators can execute untrusted code in the context of the user's browser. CVE-2020-11023 Exploit Probability: 36.3%	January 23, 2025

The vulnerability CVE-2020-11023: JQuery Cross-Site Scripting (XSS) Vulnerability is in the top 5% of the currently known exploitable vulnerabilities.

By the Year

In 2026 there have been 0 vulnerabilities in jQuery. jQuery did not have any published security vulnerabilities last year.

Year	Vulnerabilities	Average Score
2026	0	0.00
2025	0	0.00
2024	1	0.00
2023	1	0.00
2022	0	0.00
2021	3	6.23
2020	4	6.63
2019	1	6.10
2018	3	7.50

It may take a day or so for new jQuery vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent jQuery Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2024-30875	Oct 17, 2024	CVE-2024-30875: XSS via window.addEventListener in jquery-ui 1.13.1 Cross Site Scripting vulnerability in JavaScript Library jquery-ui v.1.13.1 allows a remote attacker to obtain sensitive information and execute arbitrary code via a crafted payload to the window.addEventListener component. NOTE: this is disputed by the Supplier because it cannot be reproduced, and because the exploitation example does not indicate whether, or how, the example website is using jQuery UI.	Jquery Ui
CVE-2020-23064	Jun 26, 2023	Duplicate CVE-2020-23064 - Refer to CVE-2020-11023 Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-11023. Reason: This candidate is a duplicate of CVE-2020-11023. Notes: All CVE users should reference CVE-2020-11023 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.	jQuery
CVE-2021-41184	Oct 26, 2021	jQuery-UI is the official jQuery user interface library jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `of` option of the `.position()` util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `of` option is now treated as a CSS selector. A workaround is to not accept the value of the `of` option from untrusted sources.	Jquery Ui
CVE-2021-41183	Oct 26, 2021	jQuery-UI is the official jQuery user interface library jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various `Text` options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various `Text` options are now always treated as pure text, not HTML. A workaround is to not accept the value of the `*Text` options from untrusted sources.	Jquery Ui
CVE-2021-41182	Oct 26, 2021	jQuery-UI is the official jQuery user interface library jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the `altField` option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the `altField` option is now treated as a CSS selector. A workaround is to not accept the value of the `altField` option from untrusted sources.	Jquery Ui
CVE-2020-7656	May 19, 2020	jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.	jQuery
CVE-2020-11022	Apr 29, 2020	In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.	jQuery
CVE-2020-11023	Apr 29, 2020	In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.	jQuery
CVE-2018-18405	Apr 22, 2020	jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry	jQuery
CVE-2019-11358	Apr 20, 2019	jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.	jQuery