jQuery jQuery JavaScript Frameworks

stack.watch can email you when security vulnerabilities are reported in any jQuery product. You can add multiple products that you use with jQuery to create your own personal software stack watcher.

Products by jQuery Sorted by Most Security Vulnerabilities since 2018

jQuery5 vulnerabilities
JavaScript Framework

Jquery Ui1 vulnerability

@jquery Tweets

jQuery 3.6.0 has been released! Some bug fixes and a feature for JSONP error handling. https://t.co/ZUYnvrbmHc
Tue Mar 02 17:57:45 +0000 2021

OpenJS World 2021 is happening in June! Register now or submit a talk proposal. #OpenJSWorld21 https://t.co/LQlEJ4xMpL
Mon Feb 01 17:20:56 +0000 2021

jQuery 3.5.1 is out! A small release for a regression in 3.5.0. https://t.co/o5k81ZvK37
Mon May 04 23:01:30 +0000 2020

jQuery 3.5.0 has been released! This update includes a security fix and even a couple new features. https://t.co/QimHZOxFCO
Fri Apr 10 16:36:22 +0000 2020

RT @openjsf: Miss the AMA with @jquery? Catch the replay here! Big thanks to @jorydotcom, @davemethvin and @timmywil for a great, informati…
Thu Feb 06 22:38:00 +0000 2020

By the Year

In 2021 there have been 0 vulnerabilities in jQuery . Last year jQuery had 3 security vulnerabilities published. Right now, jQuery is on track to have less security vulnerabilities in 2021 than it did last year.

Year Vulnerabilities Average Score
2021 0 0.00
2020 3 6.10
2019 1 6.10
2018 1 6.10

It may take a day or so for new jQuery vulnerabilities to show up. Additionally vulnerabilities may be tagged under a different product or component name.

Latest jQuery Security Vulnerabilities

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML

CVE-2020-11022 6.1 - Medium - April 29, 2020

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11022 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements

CVE-2020-11023 6.1 - Medium - April 29, 2020

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CVE-2020-11023 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

** DISPUTED ** jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element

CVE-2018-18405 6.1 - Medium - April 22, 2020

** DISPUTED ** jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry.

CVE-2018-18405 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {},

CVE-2019-11358 6.1 - Medium - April 20, 2019

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVE-2019-11358 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option

CVE-2015-9251 6.1 - Medium - January 18, 2018

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

CVE-2015-9251 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might

CVE-2016-7103 6.1 - Medium - March 15, 2017

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

CVE-2016-7103 can be explotited with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. It has an exploitability score of 2.8 out of four. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.

XSS

Built by Foundeo Inc., with data from the National Vulnerability Database (NVD), Icons by Icons8