CVE-2020-11023 MEDIUM

CVE-2020-11023: Potential XSS vulnerability in jQuery

Vendor Jquery
Product jQuery
Weakness CWE-79 · XSS
KEV Status Known Exploited
Published April 29, 2020
Last update October 21, 2025
View on NVD All CVEs

CVSS base score

6.9/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

April 29, 2020 CVE published
October 21, 2025 Record updated

Related vulnerabilities

05Related CVE

CVE-2026-42554 Fiber: XSS in AutoFormat Content Negotiation CVE-2025-66522 Foxit pdfonline.foxit.com Stored Cross-Site Scripting in Digital IDs Common Name Field CVE-2025-9378 Vayu Blocks <= 1.3.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Block Attributes CVE-2023-50370 WordPress Livemesh Addons for WPBakery Page Builder Plugin <= 3.5 is vulnerable to Cross Site Scripting (XSS) CVE-2025-43567 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)