CVE-2020-7656

MEDIUM

jQuery < 1.9.0 - Cross-Site Scripting via Load Method

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-7656. PoCs published by xOryus.

AI-analyzed exploit summary This exploit demonstrates two jQuery vulnerabilities (CVE-2020-7656 and CVE-2019-11358) by injecting XSS payloads via script injection and prototype pollution. It requires a vulnerable jQuery version (<3.4.X) to be loaded on the target page.

Description

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Exploits (1)

exploitdb WORKING POC
by xOryus · textwebappsmultiple
https://www.exploit-db.com/exploits/52141

This exploit demonstrates two jQuery vulnerabilities (CVE-2020-7656 and CVE-2019-11358) by injecting XSS payloads via script injection and prototype pollution. It requires a vulnerable jQuery version (<3.4.X) to be loaded on the target page.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: jQuery <3.4.X
No auth needed
Prerequisites: Vulnerable jQuery version (<3.4.X) loaded on the target page · Ability to inject JavaScript into the target page
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 6.1
EPSS 0.0089
EPSS Percentile 76.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (11)
jquery/jquery < 1.9.0
juniper/junos 21.2
netapp/active_iq_unified_manager (3 CPE variants)
netapp/cloud_backup
netapp/oncommand_system_manager 3.0.0 - 3.1.3
netapp/snap_creator_framework
npm/jquery 1.2.1 - 1.9.0npm
nuget/jQuery 1.2.1 - 1.9.0NuGet
oracle/peoplesoft_enterprise_peopletools 8.58
org.webjars.npm/jquery 1.2.1 - 1.9.0Maven
... and 1 more
Published May 19, 2020
Tracked Since Feb 18, 2026