Description
Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery’s DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code.
Recommendation
Update the jquery package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.2.0, < 3.5.0
- Patched version(s): 3.5.0
References
- GHSA-gxr4-xjj5-5px2
- www.drupal.org
- www.debian.org
- www.oracle.com
- lists.opensuse.org
- security.gentoo.org
- lists.apache.org
- www.npmjs.com
- www.tenable.com
- lists.debian.org
- packetstormsecurity.com
- lists.fedoraproject.org
- security.netapp.com
- blog.jquery.com
- jquery.com
- CVE-2020-11022
- CWE-79
- CAPEC-310
- OWASP 2021-A3
- OWASP 2021-A6
Related Issues
- Prebid-universal-creative latest on npm briefly compromised - CVE-2025-59039
- JS Html Sanitizer allows XSS when used with contentEditable - CVE-2025-29771
- Potential XSS vulnerability in jQuery - CVE-2020-11023
- XSS in jQuery as used in Drupal, Backdrop CMS, and other products - CVE-2019-11358
- Tags:
- npm
- jquery
Anything's wrong? Let us know Last updated on January 31, 2025