CVE-2020-11022

MEDIUM EXPLOITED IN THE WILD

jQuery 1.12.0-3.4.1 - Cross-Site Scripting via DOM Manipulation Methods

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-11022 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 9 public exploits from researchers including Central InfoSec, 0xAJ2K, Snorlyd.

AI-analyzed exploit summary This exploit demonstrates a DOM-based XSS vulnerability in jQuery versions 1.2 to 3.5.0 by injecting malicious HTML into a page, triggering an alert via an onerror event. The PoC leverages improper handling of HTML fragments in jQuery's parsing logic.

Description

In jQuery starting with 1.12.0 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Exploits (9)

exploitdb WORKING POC
by Central InfoSec · textwebappsmultiple
https://www.exploit-db.com/exploits/49766

This exploit demonstrates a DOM-based XSS vulnerability in jQuery versions 1.2 to 3.5.0 by injecting malicious HTML into a page, triggering an alert via an onerror event. The PoC leverages improper handling of HTML fragments in jQuery's parsing logic.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery versions >= 1.2 and < 3.5.0
No auth needed
Prerequisites: A vulnerable version of jQuery loaded on a webpage · Ability to inject malicious HTML into the DOM
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 34 stars
by 0xAJ2K · client-side
https://github.com/0xAJ2K/CVE-2020-11022-CVE-2020-11023

This repository demonstrates CVE-2020-11022 and CVE-2020-11023, which are XSS vulnerabilities in jQuery versions before 3.5.0. The PoC includes a PHP page that exploits the vulnerability via DOM manipulation methods like .html().

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery versions >= 1.2 and < 3.5.0
No auth needed
Prerequisites: A web server to host the index.php file · A victim visiting the crafted URL
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 1 stars
by Snorlyd · poc
https://github.com/Snorlyd/https-nj.gov---CVE-2020-11022

This repository contains a writeup describing a potential XSS vulnerability in jQuery.htmlPrefilter and related methods, specifically CVE-2020-11022. It provides recommendations for mitigation, including updating to jQuery 3.5.0 or applying a workaround.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery versions before 3.5.0
No auth needed
Prerequisites: Access to a web application using a vulnerable version of jQuery
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by erickrr-bd · pythonpoc
https://github.com/erickrr-bd/PoC-CVE/tree/master/CVE-2020-11022

This PoC demonstrates a DOM-based XSS vulnerability in jQuery versions prior to 3.5.0, where improper handling of HTML attributes in the .html() method allows arbitrary JavaScript execution. The exploit leverages user-controlled input via the 'value' GET parameter to inject malicious content.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery < 3.5.0
No auth needed
Prerequisites: User interaction (clicking the button) · Victim visits the crafted URL with malicious 'value' parameter
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WORKING POC
by ibnurusdianto · poc
https://github.com/ibnurusdianto/CVE-2020-11022

This repository contains a functional proof-of-concept for CVE-2020-11022, a DOM-based XSS vulnerability in jQuery versions below 3.5.0. The exploit demonstrates how to inject malicious payloads via jQuery's DOM manipulation methods like .html().

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery < 3.5.0
No auth needed
Prerequisites: Target using vulnerable jQuery version · Presence of a DOM sink (e.g., .html(), .append())
devstral-2 · analyzed May 19, 2026 Full analysis →
nomisec WRITEUP
by okni2k · poc
https://github.com/okni2k/HW-Pyton-10

The repository contains a README describing CVE-2020-11022, a reflected XSS vulnerability caused by improper input handling in HTML responses. No exploit code is provided, only a brief description of the vulnerability.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Theoretical
Target: unspecified (likely a web application)
No auth needed
Prerequisites: user interaction to trigger the reflected XSS
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
github WORKING POC
by CoderDias · poc
https://github.com/CoderDias/CVE-POCs/tree/main/CVE-2020-11022

This repository contains a functional proof-of-concept for CVE-2020-11022, demonstrating a cross-site scripting (XSS) vulnerability in jQuery versions prior to 3.5.0. The exploit leverages inconsistencies in HTML parsing logic to bypass sanitization and execute arbitrary JavaScript.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery < 3.5.0
No auth needed
Prerequisites: Browser with jQuery < 3.5.0 loaded
devstral-2 · analyzed Feb 27, 2026 Full analysis →
vulncheck_xdb STUB
remote
https://github.com/ossf-cve-benchmark/CVE-2020-11022

This repository appears to be a placeholder or template for jQuery development, lacking any actual exploit code or technical details related to CVE-2020-11022. It contains standard project files like issue templates, pull request templates, and build scripts, but no PoC or analysis of the vulnerability.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: jQuery
No auth needed
devstral-2 · analyzed Feb 26, 2026 Full analysis →
inthewild WRITEUP
poc
https://github.com/ossf-cve-benchmark/cve-2020-11022

This repository appears to be part of the OpenSSF CVE Benchmark project, focusing on CVE-2020-11022. It contains documentation, build scripts, and templates but no actual exploit code. The content is primarily related to jQuery project management and testing infrastructure.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: jQuery
No auth needed
Prerequisites: None
devstral-2 · analyzed Feb 23, 2026 Full analysis →

References (71)

Core 71
Core References
Mitigation, Third Party Advisory x_refsource_confirm
https://github.com/jquery/jquery/security/advisories/GHSA-gxr4-xjj5-5px2
X_Refsource_Misc x_refsource_misc
https://github.com/maximebf/php-debugbar/issues/447
Third Party Advisory x_refsource_misc
https://security.gentoo.org/glsa/202007-03
Third Party Advisory x_refsource_misc
https://www.debian.org/security/2020/dsa-4693
Third Party Advisory x_refsource_misc
https://www.drupal.org/sa-core-2020-002
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuApr2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuapr2022.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2021.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2020.html
X_Refsource_Misc x_refsource_misc
https://www.oracle.com/security-alerts/cpujul2021.html
Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2020.html
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpuoct2021.html
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/tns-2020-10
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/tns-2020-11
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/tns-2021-02
Third Party Advisory x_refsource_misc
https://www.tenable.com/security/tns-2021-10
X_Refsource_Misc x_refsource_misc
https://github.com/jquery/jquery/releases/tag/3.5.0
X_Refsource_Misc x_refsource_misc
https://jquery.com/upgrade-guide/3.5
Mailing List, Third Party Advisory x_refsource_misc
https://lists.debian.org/debian-lts-announce/2021/03/msg00033.html
X_Refsource_Misc x_refsource_misc
http://security.netapp.com/advisory/ntap-20200511-0006
Mitigation, Vendor Advisory
https://jquery.com/upgrade-guide/3.5/

Scores

CVSS v3 6.9
EPSS 0.0239
EPSS Percentile 85.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:N

Details

VulnCheck KEV 2021-01-21
InTheWild.io 2021-07-30
CWE
CWE-79
Status published
Products (50)
athlon1600/youtube-downloader 0Packagist
components/jquery 1.2.0 - 3.5.0Packagist
debian/debian_linux 9.0
drupal/drupal 7.0 - 7.70
fedoraproject/fedora 31
fedoraproject/fedora 32
fedoraproject/fedora 33
jquery/jquery 1.2 - 3.5.0
jquery/jQuery >= 1.12.0, < 3.5.0
maximebf/debugbar 0 - 1.19.0Packagist
... and 40 more
Published Apr 29, 2020
Tracked Since Feb 18, 2026