Jquery

This hub aggregates every CVE we track for Jquery, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

OSS Libraries

CVEs tracked

Critical

High

In CISA KEV

Severity distribution

MEDIUM10HIGH1

Monthly trend

2024-072026-06

Latest CVEs

See all →

The 11 most recently published vulnerabilities affecting Jquery.

CVE-2020-7656jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script...6.1May 19, 2020
CVE-2020-11022jQuery has a potential XSS vulnerability6.9Apr 29, 2020
CVE-2020-11023Potential XSS vulnerability in jQueryKEV6.9Apr 29, 2020
CVE-2018-18405jQuery v2.2.2 allows XSS via a crafted onerror attribute of an IMG element. NOTE: this vulnerability has been reported to be spam entry6.1Apr 22, 2020
CVE-2019-11358jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an...6.1Apr 19, 2019
CVE-2015-9251jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.6.1Jan 18, 2018
CVE-2016-10707jQuery 3.0.0-rc.1 is vulnerable to Denial of Service (DoS) due to removing a logic that lowercased attribute names. Any attribute getter using a mixed-cased name for boolean attributes goes into an...7.5Jan 18, 2018
CVE-2012-6708jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQue...6.1Jan 18, 2018
CVE-2014-6071jQuery 1.4.2 allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to use of the text method inside after.6.1Jan 16, 2018
CVE-2011-4969Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.4.3Mar 8, 2013
CVE-2007-2379The jQuery framework exchanges data using JavaScript Object Notation (JSON) without an associated protection scheme, which allows remote attackers to obtain the data via a web page that retrieves t...5.0Apr 30, 2007

Product normalization is registry-driven with AI assist and human review. How it works