CVE-2020-11023
Potential XSS vulnerability in jQueryIn jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
We have discovered 7,099,257 live websites that are affected by CVE-2020-11023.
Affected Software
| Product |  jQuery |
| Category | JavaScript Frameworks |
| Vulnerable Domains | 7,099,257 live websites (42% of jQuery install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 269 versions ( 86% of all versions) |
Common Weakness Enumeration
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Details
- Published - Apr 29, 2020
- Updated - Oct 21, 2025
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2020-11023 United States | 2,165,231 websites |
 Germany | 529,414 websites |
 Russia | 462,708 websites |
 Japan | 449,488 websites |
 China | 310,793 websites |
 France | 289,979 websites |
 Israel | 282,786 websites |
 GB | 216,007 websites |
 Netherlands | 180,138 websites |
 Italy | 179,354 websites |
Website Distribution by TLD
Number of websites using CVE-2020-11023| .com | 3,171,206 websites |
| .ru | 375,179 websites |
| .de | 340,314 websites |
| .org | 256,638 websites |
| .net | 231,388 websites |
| .co.uk | 162,358 websites |
| .nl | 147,138 websites |
| .it | 129,757 websites |
| .jp | 128,480 websites |
| .fr | 109,424 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2020-11023
Top websites that are affected by CVE-2020-11023. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| **********.***********.com | United States | ** | |
| ********.****.br |  Brazil | ** | |
| *********.com | United States | *** | |
| *******.com |  Singapore | *** | |
| *********.com | United States | *** | |
| ***********.com |  Ireland | *** | |
| ******.com | United States | *** | |
| ******.ru | Russia | *** | |
| *******.*********.com | United States | *** | |
| *****************.com | United States | *** |
FAQ
CVE-2020-11023 is Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in jQuery
A total of 7,099,257 websites have been identified as vulnerable to CVE-2020-11023, based on global website indexing conducted by WebTechSurvey.
The jQuery is affected by the CVE-2020-11023 vulnerability.
jQuery versions up to 3.5 are vulnerable to CVE-2020-11023.
CVE-2020-11023 is resolved in version 3.5 of jQuery.
References
- https://www.debian.org/security/2020/dsa-4693
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QPN2L2XVQGUA2V5HNQJWHK3APSK3VN7K/
- https://www.oracle.com/security-alerts/cpujul2020.html
- https://jquery.com/upgrade-guide/3.5/
- https://security.netapp.com/advisory/ntap-20200511-0006/
- https://www.drupal.org/sa-core-2020-002
- https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6
- https://blog.jquery.com/2020/04/10/jquery-3-5-0-released
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00067.html
- https://security.gentoo.org/glsa/202007-03
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00085.html
- https://lists.apache.org/thread.html/r094f435595582f6b5b24b66fedf80543aa8b1d57a3688fbcc21f06ec%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rf661a90a15da8da5922ba6127b3f5f8194d4ebec8855d60a0dd13248%40%3Cdev.hive.apache.org%3E
- https://lists.apache.org/thread.html/r9c5fda81e4bca8daee305b4c03283dddb383ab8428a151d4cb0b3b15%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra3c9219fcb0b289e18e9ec5a5ebeaa5c17d6b79a201667675af6721c%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/radcb2aa874a79647789f3563fcbbceaf1045a029ee8806b59812a8ea%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rd38b4185a797b324c8dd940d9213cf99fcdc2dbf1fc5a63ba7dee8c9%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6e97b37963926f6059ecc1e417721608723a807a76af41d4e9dbed49%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rb69b7d8217c1a6a2100247a5d06ce610836b31e3f5d73fc113ded8e7%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r4aadb98086ca72ed75391f54167522d91489a0d0ae25b12baa8fc7c5%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra374bb0299b4aa3e04edde01ebc03ed6f90cf614dad40dd428ce8f72%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/rb25c3bc7418ae75cba07988dafe1b6912f76a9dd7d94757878320d61%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/rf1ba79e564fe7efc56aef7c986106f1cf67a3427d08e997e088e7a93%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/ra32c7103ded9041c7c1cb8c12c8d125a6b2f3f3270e2937ef8417fac%40%3Cgitbox.hive.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SFP4UK4EGP4AFH2MWYJ5A5Z4I7XVFQ6B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AVKYXLWCLZBV2N7M46KYK4LVA5OXWPBY/
- https://lists.apache.org/thread.html/ra406b3adfcffcb5ce8707013bdb7c35e3ffc2776a8a99022f15274c6%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/rab82dd040f302018c85bd07d33f5604113573514895ada523c3401d9%40%3Ccommits.hive.apache.org%3E
- https://lists.apache.org/thread.html/r6c4df3b33e625a44471009a172dabe6865faec8d8f21cac2303463b1%40%3Cissues.hive.apache.org%3E
- https://lists.apache.org/thread.html/r1fed19c860a0d470f2a3eded12795772c8651ff583ef951ddac4918c%40%3Cgitbox.hive.apache.org%3E
- https://lists.apache.org/thread.html/r0593393ca1e97b1e7e098fe69d414d6bd0a467148e9138d07e86ebbb%40%3Cissues.hive.apache.org%3E
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SAPQVX3XDNPGFT26QAQ6AJIXZZBZ4CD4/
- https://lists.apache.org/thread.html/rda99599896c3667f2cc9e9d34c7b6ef5d2bbed1f4801e1d75a2b0679%40%3Ccommits.nifi.apache.org%3E
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://lists.apache.org/thread.html/r706cfbc098420f7113968cc377247ec3d1439bce42e679c11c609e2d%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rbb448222ba62c430e21e13f940be4cb5cfc373cd3bce56b48c0ffa67%40%3Cdev.flink.apache.org%3E
- http://lists.opensuse.org/opensuse-security-announce/2020-11/msg00039.html
- https://lists.apache.org/thread.html/r49ce4243b4738dd763caeb27fa8ad6afb426ae3e8c011ff00b8b1f48%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r2c85121a47442036c7f8353a3724aa04f8ecdfda1819d311ba4f5330%40%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r4dba67be3239b34861f1b9cfdf9dfb3a90272585dcce374112ed6e16%40%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r3702ede0ff83a29ba3eb418f6f11c473d6e3736baba981a8dbd9c9ef%40%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r07ab379471fb15644bf7a92e4a98cbc7df3cf4e736abae0cc7625fe6%40%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r9e0bd31b7da9e7403478d22652b8760c946861f8ebd7bd750844898e%40%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/rf0f8939596081d84be1ae6a91d6248b96a02d8388898c372ac807817%40%3Cdev.felix.apache.org%3E
- https://lists.apache.org/thread.html/r9006ad2abf81d02a0ef2126bab5177987e59095b7194a487c4ea247c%40%3Ccommits.felix.apache.org%3E
- https://lists.apache.org/thread.html/r55f5e066cc7301e3630ce90bbbf8d28c82212ae1f2d4871012141494%40%3Cdev.felix.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://lists.apache.org/thread.html/r8f70b0f65d6bedf316ecd899371fd89e65333bc988f6326d2956735c%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r564585d97bc069137e64f521e68ba490c7c9c5b342df5d73c49a0760%40%3Cissues.flink.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
- https://lists.apache.org/thread.html/ree3bd8ddb23df5fa4e372d11c226830ea3650056b1059f3965b3fce2%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/rede9cfaa756e050a3d83045008f84a62802fc68c17f2b4eabeaae5e4%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/r54565a8f025c7c4f305355fdfd75b68eca442eebdb5f31c2e7d977ae%40%3Cissues.flink.apache.org%3E
- https://lists.apache.org/thread.html/re4ae96fa5c1a2fe71ccbb7b7ac1538bd0cb677be270a2bf6e2f8d108%40%3Cissues.flink.apache.org%3E
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.tenable.com/security/tns-2021-10
- https://www.tenable.com/security/tns-2021-02
- http://packetstormsecurity.com/files/162160/jQuery-1.0.3-Cross-Site-Scripting.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://lists.apache.org/thread.html/r0483ba0072783c2e1bfea613984bfb3c86e73ba8879d780dc1cc7d36%40%3Cissues.flink.apache.org%3E
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://lists.debian.org/debian-lts-announce/2023/08/msg00040.html