CVE-2015-9251

MEDIUM EXPLOITED

jQuery < 3.0.0 - Cross-Site Scripting via Cross-Domain Ajax Request

Title source: llm

Exploitation Summary

CVE-2015-9251 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 4 public exploits from researchers including halkichi0308, hackgiver, moften.

AI-analyzed exploit summary The repository contains only a README.md file with the CVE identifier and no additional technical details or exploit code. It is a placeholder with minimal content.

Description

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Exploits (4)

nomisec STUB 9 stars

by halkichi0308 · client-side

https://github.com/halkichi0308/CVE-2015-9251

View Code ZIP pw:eip

The repository contains only a README.md file with the CVE identifier and no additional technical details or exploit code. It is a placeholder with minimal content.

Classification

Stub 100%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by hackgiver · client-side

https://github.com/hackgiver/CVE-2015-9251

View Code ZIP pw:eip

This repository contains a functional PoC for CVE-2015-9251, demonstrating an XSS vulnerability in jQuery versions prior to 3.0.0. The server.py script serves a malicious JavaScript payload that triggers an alert with the document domain, showcasing the XSS exploit.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: jQuery < 3.0.0

No auth needed

Prerequisites: Victim must visit a page that includes the malicious script

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 2 stars

by moften · client-side

https://github.com/moften/CVE-2015-9251

View Code ZIP pw:eip

This repository contains a functional Proof of Concept (PoC) for CVE-2015-9251, demonstrating a JSONP callback XSS vulnerability in jQuery versions prior to 3.0.0. The exploit leverages unsanitized callback parameters to execute arbitrary JavaScript, such as stealing cookies.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: jQuery < 3.0.0

No auth needed

Prerequisites: A vulnerable jQuery version (< 3.0.0) in use by the target application · A JSONP endpoint that reflects the callback parameter

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by rox-11 · poc

https://github.com/rox-11/xss

View Code ZIP pw:eip

This repository contains a minimal JavaScript proof-of-concept demonstrating an XSS vulnerability (CVE-2015-9251). The code triggers an alert box, confirming the presence of the vulnerability.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Unknown (CVE-2015-9251 likely affects a web application)

No auth needed

Prerequisites: Victim must execute the JavaScript in a vulnerable context

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (38)

Core 38

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/105658

Mailing List mailing-list x_refsource_bugtraq

https://seclists.org/bugtraq/2019/May/18

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/May/11

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/May/10

Mailing List mailing-list x_refsource_fulldisc

http://seclists.org/fulldisclosure/2019/May/13