CVE-2020-11022
jQuery has a potential XSS vulnerabilityIn jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
We have discovered 3,491,397 live websites that are affected by CVE-2020-11022.
Affected Software
| Product |  jQuery |
| Category | JavaScript Frameworks |
| Vulnerable Domains | 3,491,397 live websites (21% of jQuery install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 85 versions ( 27% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Apr 29, 2020
- Updated - Apr 13, 2026
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2020-11022 United States | 977,723 websites |
 Germany | 271,146 websites |
 Russia | 231,034 websites |
 Japan | 215,053 websites |
 Israel | 157,110 websites |
 France | 156,805 websites |
 GB | 111,016 websites |
 Netherlands | 106,267 websites |
 Italy | 100,786 websites |
 China | 88,642 websites |
Website Distribution by TLD
Number of websites using CVE-2020-11022| .com | 1,508,192 websites |
| .ru | 186,917 websites |
| .de | 165,196 websites |
| .org | 125,434 websites |
| .net | 99,483 websites |
| .nl | 81,029 websites |
| .co.uk | 78,932 websites |
| .it | 73,384 websites |
| .fr | 62,051 websites |
| .jp | 60,907 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2020-11022
Top websites that are affected by CVE-2020-11022. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.***********.com | United States | ** | |
| ********.****.br |  Brazil | ** | |
| *******.com |  Singapore | *** | |
| ***********.com |  Ireland | *** | |
| ******.com | United States | *** | |
| ****.br | Brazil | *** | |
| *****.******.com | United States | *** | |
| **********.com | United States | *** | |
| *********.com |  Canada | *** | |
| *******.com | United States | *** |
FAQ
CVE-2020-11022 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jQuery
A total of 3,491,397 websites have been identified as vulnerable to CVE-2020-11022, based on global website indexing conducted by WebTechSurvey.
The jQuery is affected by the CVE-2020-11022 vulnerability.
jQuery versions up to 3.5 are vulnerable to CVE-2020-11022.
CVE-2020-11022 is resolved in version 3.5 of jQuery.
References
- https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
- https://github.com/maximebf/php-debugbar/issues/447
- https://github.com/jquery/jquery/commit/1d61fd9407e6fbe82fe55cb0b938307aa0791f77
- https://github.com/maximebf/php-debugbar/commit/847216e60544258c881f2733d699bbcfeefac0fc
- https://lists.fedoraproject.org/archives/list/[email protected]/message/VOE7P7APPRQKD4FGNHBKJPDY6FFCOH3W
- https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
- https://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
- https://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
- https://packetstormsecurity.com/files/162159/jQuery-1.2-Cross-Site-Scripting.html
- https://security.gentoo.org/glsa/202007-03
- https://www.debian.org/security/2020/dsa-4693
- https://www.drupal.org/sa-core-2020-002
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://www.oracle.com/security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://www.tenable.com/security/tns-2020-10
- https://www.tenable.com/security/tns-2020-11
- https://www.tenable.com/security/tns-2021-02
- https://www.tenable.com/security/tns-2021-10
- https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
- https://github.com/jquery/jquery/releases/tag/3.5.0
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2020-11022.yml
- https://jquery.com/upgrade-guide/3.5
- https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67@%3Cdev.flink.apache.org%3E
- https://lists.apache.org/thread.html/rdf44341677cf7eec7e9aa96dcf3f37ed709544863d619cca8c36f133@%3Ccommits.airflow.apache.org%3E
- https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4@%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2@%3Cissues.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html
- https://lists.fedoraproject.org/archives/list/[email protected]/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY
- https://lists.fedoraproject.org/archives/list/[email protected]/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K
- https://lists.fedoraproject.org/archives/list/[email protected]/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4
- https://lists.fedoraproject.org/archives/list/[email protected]/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B
- http://security.netapp.com/advisory/ntap-20200511-0006