CVE-2019-11358

MEDIUMNVD 6.16.1
EchelonGraph scoreMEDIUM confidence

This medium-severity CVE scores 6.1 under NVD CVSS v3. EPSS exploit probability: 2.4%, top 15% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: epss, nvd
Elevated
6.1
EchelonGraph verdictPatch this weekExploitation is likely or a public exploit exists.
  • High exploitation likelihood — EPSS 87%
CISA-KEV: Not listedEPSS: 87%CVSS: 6.1Exploit: NoneExposed: 0

A fix is available — apply it.

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the native Object.prototype.

CVSS v3
6.1
EG Score
6.1(medium)
EPSS
99.7%
KEV
Not listed

Published

April 20, 2019

Last Modified

November 21, 2024

Patch Availability(25)

Vendor / EcosystemFixed in / PatchReleasedSource
ubuntulibjs-jquery (1.7.2+dfsg-2ubuntu1+esm1) @ trusty2026-05-27ubuntu
redhatrh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el7sso2023-03-01redhat
redhatrh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el8sso2023-03-01redhat
redhatrh-sso7-keycloak-0:18.0.6-1.redhat_00001.1.el9sso2023-03-01redhat
redhatrh-sso-7/sso76-openshift-rhel8:7.6-202023-03-01redhat
redhatkeycloak-idp-jquery2023-03-01redhat
redhateap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el7eap2023-01-31redhat
redhateap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el9eap2023-01-31redhat
redhateap7-hal-console-0:3.3.16-1.Final_redhat_00001.1.el8eap2023-01-31redhat
redhatjquery2023-01-31redhat
redhatpcs-0:0.9.169-3.el7_9.32022-11-02redhat
redhatpcs-0:0.10.10-4.el82021-11-09redhat
redhatpython-XStatic-jQuery-0:2.2.4.1-3.el7ost2020-12-16redhat
redhatpki-deps:10.6-8030020200527165326.30b713e62020-11-04redhat
redhatidm:DL1-8030020200923172343.9c827e522020-11-04redhat
redhatopenshift4/ose-prometheus:v4.6.0-202009290409.p02020-10-27redhat
redhatipa-0:4.6.8-5.el72020-09-29redhat
redhatopenshift4/ose-console:v4.5.0-202007012112.p02020-07-13redhat
redhatpython-XStatic-jQuery-0:3.4.1.0-1.el8ost2020-04-06redhat
redhatopenshift-kuryr-0:3.11.170-1.git.1.7265da1.el72020-02-19redhat
redhatovirt-web-ui-0:1.6.0-1.el7ev2019-10-10redhat
redhatovirt-engine-ui-extensions-0:1.0.10-1.el7ev2019-10-10redhat
redhatv2v-conversion-host-0:1.14.2-1.el7ev2019-09-05redhat
redhatovirt-engine-api-explorer-0:0.0.5-1.el7ev2019-06-20redhat
redhatpatch2019-06-11redhat

Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.

Affected Packages

(7 across 6 ecosystems)
Packagist(2)
PackageVulnerable rangeFixed inDependents
drupal/core8.0.0 ... 8.6.9 (95 versions)8.6.15
maximebf/debugbar1.0 ... v1.18.2 (60 versions)1.19.0
Maven(1)
PackageVulnerable rangeFixed inDependents
org.webjars.npm:jquery1.11.0 ... 3.3.1 (33 versions)3.4.0
npm(1)
PackageVulnerable rangeFixed inDependents
jquery3.4.0
NuGet(1)
PackageVulnerable rangeFixed inDependents
jQuery1.10.0 ... 3.3.1 (56 versions)3.4.0
PyPI(1)
PackageVulnerable rangeFixed inDependents
django2.2, 2.2.1, 2.2a1, 2.2b1, 2.2rc12.2.2
RubyGems(1)
PackageVulnerable rangeFixed inDependents
jquery-rails0.1.1 ... 4.3.3 (72 versions)4.3.4

Weakness Classification(1)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Additional Vendor Advisories

(10)

Data Freshness Timeline

(refreshed 0× in last 7d / 16× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-07-04 06:28 UTCEPSS rescore
  2. 2026-07-04 06:28 UTCEPSS rescore
  3. 2026-07-03 12:56 UTCOSV refresh
  4. 2026-07-01 15:03 UTCEPSS rescore
  5. 2026-07-01 15:03 UTCEPSS rescore
  6. 2026-06-25 13:47 UTCEPSS rescore
  7. 2026-06-25 13:47 UTCEPSS rescore
  8. 2026-06-23 21:30 UTCEPSS rescore
  9. 2026-06-23 21:30 UTCEPSS rescore
  10. 2026-06-17 17:50 UTCEPSS rescore
  11. 2026-06-15 17:45 UTCEPSS rescore
  12. 2026-06-15 03:13 UTCOSV refresh
  13. 2026-06-14 23:15 UTCEPSS rescore
  14. 2026-06-14 23:15 UTCEPSS rescore
  15. 2026-06-13 22:58 UTCEPSS rescore
  16. 2026-06-12 23:09 UTCEPSS rescore
  17. 2026-06-11 13:58 UTCEPSS rescore
  18. 2026-06-11 13:58 UTCEPSS rescore
  19. 2026-06-10 22:16 UTCEPSS rescore
  20. 2026-06-10 13:19 UTCEPSS rescore
  21. 2026-06-08 14:15 UTCEPSS rescore
  22. 2026-06-08 14:14 UTCEPSS rescore
  23. 2026-06-06 13:45 UTCEPSS rescore
  24. 2026-06-06 13:45 UTCEPSS rescore
  25. 2026-06-05 22:45 UTCEPSS rescore
Show 22 more
  1. 2026-06-05 22:45 UTCEPSS rescore
  2. 2026-06-05 06:08 UTCEPSS rescore
  3. 2026-06-05 06:08 UTCEPSS rescore
  4. 2026-06-04 13:10 UTCEPSS rescore
  5. 2026-06-04 13:10 UTCEPSS rescore
  6. 2026-06-02 20:11 UTCEPSS rescore
  7. 2026-06-01 13:50 UTCEPSS rescore
  8. 2026-06-01 13:50 UTCEPSS rescore
  9. 2026-05-31 22:29 UTCEPSS rescore
  10. 2026-05-31 22:29 UTCEPSS rescore
  11. 2026-05-31 00:14 UTCEPSS rescore
  12. 2026-05-31 00:14 UTCEPSS rescore
  13. 2026-05-29 13:42 UTCEPSS rescore
  14. 2026-05-28 13:43 UTCEPSS rescore
  15. 2026-05-27 20:26 UTCEG score recompute
  16. 2026-05-27 20:26 UTCVendor advisory
  17. 2026-05-27 15:05 UTCOSV refresh
  18. 2026-05-27 13:38 UTCEPSS rescore
  19. 2026-05-26 13:42 UTCEPSS rescore
  20. 2026-05-26 13:42 UTCEPSS rescore
  21. 2026-05-26 07:17 UTCEPSS rescore
  22. 2026-05-26 07:17 UTCEPSS rescore

Publicly available exploits

(5 references)

Working exploit code is in the public domain (4 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

  • Exploit-DBEDB-52141
    First seen Apr 8, 2025

    jQuery 3.3.1 - Prototype Pollution & XSS Exploit

    Open source ↗
  • GitHub PoCchrisneagu/FTC-Skystone-Dark-Angels-Romania-2020
    First seen Mar 8, 2021

    NOTICE This repository contains the public FTC SDK for the SKYSTONE (2019-2020) competition season. If you are looking for the current season's FTC SDK software, please visit the new and permanent home of the public FTC SDK: FtcRobotController repository Welcome! This GitHub repository contains the source code that is used to build an Android app to control a FIRST Tech Challenge competition robot. To use this SDK, download/clone the entire project to your local computer. Getting Started If you are new to robotics or new to the FIRST Tech Challenge, then you should consider reviewing the FTC Blocks Tutorial to get familiar with how to use the control system: FTC Blocks Online Tutorial Even if you are an advanced Java programmer, it is helpful to start with the FTC Blocks tutorial, and then migrate to the OnBot Java Tool or to Android Studio afterwards. Downloading the Project If you are an Android Studio programmer, there are several ways to download this repo. Note that if you use the Blocks or OnBot Java Tool to program your robot, then you do not need to download this repository. If you are a git user, you can clone the most current version of the repository: git clone https://github.com/FIRST-Tech-Challenge/SKYSTONE.git Or, if you prefer, you can use the "Download Zip" button available through the main repository page. Downloading the project as a .ZIP file will keep the size of the download manageable. You can also download the project folder (as a .zip or .tar.gz archive file) from the Downloads subsection of the Releases page for this repository. Once you have downloaded and uncompressed (if needed) your folder, you can use Android Studio to import the folder ("Import project (Eclipse ADT, Gradle, etc.)"). Getting Help User Documentation and Tutorials FIRST maintains online documentation with information and tutorials on how to use the FIRST Tech Challenge software and robot control system. You can access this documentation using

    Open source ↗
  • GitHub PoCDanielRuf/snyk-js-jquery-565129
    First seen Apr 14, 2020

    patches for SNYK-JS-JQUERY-565129, SNYK-JS-JQUERY-567880, CVE-2020-1102, CVE-2020-11023, includes the patches for SNYK-JS-JQUERY-174006, CVE-2019-11358, CVE-2019-5428

    Open source ↗
  • GitHub PoCbitnesswise/jquery-prototype-pollution-fix
    First seen Jul 18, 2019

    A fix for CVE-2019-11358 (prototype pollution in jquery)

    Open source ↗
  • GitHub PoCDanielRuf/snyk-js-jquery-174006
    First seen Mar 30, 2019

    patches for SNYK-JS-JQUERY-174006, CVE-2019-11358, CVE-2019-5428

    Open source ↗

Frequently asked(5)

What is CVE-2019-11358?
CVE-2019-11358 is a medium vulnerability published on April 20, 2019. jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
When was CVE-2019-11358 disclosed?
CVE-2019-11358 was first published in the National Vulnerability Database on April 20, 2019, with the most recent update on November 21, 2024. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2019-11358 actively exploited?
CVE-2019-11358 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 99.7% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2019-11358?
CVE-2019-11358 has a CVSS v3 base score of 6.1 (NVD).
How do I remediate CVE-2019-11358?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2019-11358, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2019-11358

Explore →

Is Your Infrastructure Affected by CVE-2019-11358?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.