In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
CVE-2020-11023
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2025-01-23), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 6.9 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 6.9
- EG Score
- 9.0(high)
- EPSS
- 99.7%
- KEV
- ⚠ Exploited
Published
April 29, 2020
Last Modified
November 7, 2025
Advisory Details (6)
Auto-updated Jun 12, 2026Potential XSS vulnerability when appending HTML containing option elements · Advisory · jquery/jquery · GitHub
https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6jQuery 3.5.0 Released! | Official jQuery Blog
https://blog.jquery.com/2020/04/10/jquery-3-5-0-releasedVendor Advisories for CVE-2020-11023(20)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
- RHSA-2025:2426Red Hat Product SecurityMedium
Red Hat Security Advisory: pki-core security update
- RHSA-2025:1983Red Hat Product SecurityMedium
Red Hat Security Advisory: Logging for Red Hat OpenShift - 5.8.18
- RHBA-2025:1597Red Hat Product SecurityMedium
Red Hat Bug Fix Advisory: Red Hat Quay v3.9.10 bug fix release
- RHBA-2025:1600Red Hat Product SecurityMedium
Red Hat Bug Fix Advisory: Red Hat Quay v3.10.9 bug fix release
- RHBA-2025:1599Red Hat Product SecurityMedium
Red Hat Bug Fix Advisory: Red Hat Quay v3.11.9 bug fix release
- RHBA-2025:1598Red Hat Product SecurityMedium
Red Hat Bug Fix Advisory: Red Hat Quay v3.12.8 bug fix release
- RHBA-2025:1079Red Hat Product SecurityMedium
Red Hat Bug Fix Advisory: Red Hat Quay v3.13.4 bug fix release
- RHSA-2025:1601Red Hat Product SecurityMedium
Red Hat Security Advisory: gcc security update
- +12 more
Patch Availability(30)
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(5 across 5 ecosystems)
Maven(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| org.webjars.npm:jquery | 1.11.0 ... 3.4.1 (35 versions) | 3.5.0 | — |
npm(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| jquery | — | 3.5.0 | — |
NuGet(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| jQuery | 1.10.0 ... 3.4.1 (58 versions) | 3.5.0 | — |
Packagist(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| components/jquery | 1.10.0 ... 3.4.1 (31 versions) | 3.5.0 | — |
RubyGems(1)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| jquery-rails | 0.1.1 ... 4.3.5 (74 versions) | 4.4.0 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
Additional Vendor Advisories
(20)
Vendors that published advisories for this CVE beyond the curated set above. Broader coverage but minimal per-row detail — click through for the original advisory.
- Red HatRHSA-2020:2412MODERATE2020-04-29
RHSA-2020:2412 — Moderate
- Red HatRHSA-2020:2813MODERATE2020-04-29
RHSA-2020:2813 — Moderate
- Red HatRHSA-2020:3247MODERATE2020-04-29
RHSA-2020:3247 — Moderate
- Red HatRHSA-2020:3369MODERATE2020-04-29
RHSA-2020:3369 — Moderate
- Red HatRHSA-2020:3807MODERATE2020-04-29
RHSA-2020:3807 — Moderate
- Red HatRHSA-2020:4211MODERATE2020-04-29
RHSA-2020:4211 — Moderate
- Red HatRHSA-2020:4298MODERATE2020-04-29
RHSA-2020:4298 — Moderate
- Red HatRHSA-2020:4847MODERATE2020-04-29
RHSA-2020:4847 — Moderate
- Red HatRHSA-2020:5249MODERATE2020-04-29
RHSA-2020:5249 — Moderate
- Red HatRHSA-2020:5412MODERATE2020-04-29
RHSA-2020:5412 — Moderate
- Red HatRHSA-2021:0778MODERATE2020-04-29
RHSA-2021:0778 — Moderate
- Red HatRHSA-2021:0851MODERATE2020-04-29
RHSA-2021:0851 — Moderate
- Red HatRHSA-2021:0860MODERATE2020-04-29
RHSA-2021:0860 — Moderate
- Red HatRHSA-2021:1846MODERATE2020-04-29
RHSA-2021:1846 — Moderate
- Red HatRHSA-2021:4142MODERATE2020-04-29
RHSA-2021:4142 — Moderate
- Red HatRHSA-2022:6393MODERATE2020-04-29
RHSA-2022:6393 — Moderate
- Red HatRHSA-2022:7343MODERATE2020-04-29
RHSA-2022:7343 — Moderate
- Red HatRHSA-2023:0552MODERATE2020-04-29
RHSA-2023:0552 — Moderate
- Red HatRHSA-2023:0553MODERATE2020-04-29
RHSA-2023:0553 — Moderate
- Red HatRHSA-2023:0554MODERATE2020-04-29
RHSA-2023:0554 — Moderate
Data Freshness Timeline
(refreshed 92× in last 7d / 407× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 585 total refreshes for this CVE.
- 2026-07-11 23:36 UTCEG score recompute
- 2026-07-11 23:36 UTCVendor advisory
- 2026-07-11 19:48 UTCEG score recompute
- 2026-07-11 19:48 UTCVendor advisory
- 2026-07-11 16:00 UTCEG score recompute
- 2026-07-11 16:00 UTCVendor advisory
- 2026-07-11 12:11 UTCEG score recompute
- 2026-07-11 12:11 UTCVendor advisory
- 2026-07-11 08:23 UTCEG score recompute
- 2026-07-11 08:23 UTCVendor advisory
- 2026-07-11 04:35 UTCEG score recompute
- 2026-07-11 04:35 UTCVendor advisory
- 2026-07-11 00:47 UTCEG score recompute
- 2026-07-11 00:47 UTCVendor advisory
- 2026-07-10 20:59 UTCEG score recompute
- 2026-07-10 20:59 UTCVendor advisory
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 17:11 UTCEG score recompute
- 2026-07-10 17:11 UTCVendor advisory
- 2026-07-10 13:23 UTCEG score recompute
- 2026-07-10 13:23 UTCVendor advisory
- 2026-07-10 09:34 UTCEG score recompute
- 2026-07-10 09:34 UTCVendor advisory
- 2026-07-10 05:46 UTCEG score recompute
- 2026-07-10 05:46 UTCVendor advisory
Show 75 moreShow fewer
- 2026-07-10 01:58 UTCEG score recompute
- 2026-07-10 01:58 UTCVendor advisory
- 2026-07-09 22:10 UTCEG score recompute
- 2026-07-09 22:10 UTCVendor advisory
- 2026-07-09 19:06 UTCEPSS rescore
- 2026-07-09 18:21 UTCEG score recompute
- 2026-07-09 18:21 UTCVendor advisory
- 2026-07-09 14:34 UTCEG score recompute
- 2026-07-09 14:34 UTCVendor advisory
- 2026-07-09 10:44 UTCEG score recompute
- 2026-07-09 10:44 UTCVendor advisory
- 2026-07-09 06:55 UTCEG score recompute
- 2026-07-09 06:55 UTCVendor advisory
- 2026-07-09 03:07 UTCEG score recompute
- 2026-07-09 03:07 UTCVendor advisory
- 2026-07-08 23:17 UTCEG score recompute
- 2026-07-08 23:17 UTCVendor advisory
- 2026-07-08 19:28 UTCEG score recompute
- 2026-07-08 19:28 UTCVendor advisory
- 2026-07-08 15:37 UTCEG score recompute
- 2026-07-08 15:37 UTCVendor advisory
- 2026-07-08 11:48 UTCEG score recompute
- 2026-07-08 11:48 UTCVendor advisory
- 2026-07-08 07:58 UTCEG score recompute
- 2026-07-08 07:58 UTCVendor advisory
- 2026-07-08 04:10 UTCEG score recompute
- 2026-07-08 04:10 UTCVendor advisory
- 2026-07-08 00:21 UTCEG score recompute
- 2026-07-08 00:21 UTCVendor advisory
- 2026-07-07 20:34 UTCEG score recompute
- 2026-07-07 20:34 UTCVendor advisory
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 16:46 UTCEG score recompute
- 2026-07-07 16:46 UTCVendor advisory
- 2026-07-07 12:57 UTCEG score recompute
- 2026-07-07 12:57 UTCVendor advisory
- 2026-07-07 09:09 UTCEG score recompute
- 2026-07-07 09:09 UTCVendor advisory
- 2026-07-07 05:21 UTCEG score recompute
- 2026-07-07 05:21 UTCVendor advisory
- 2026-07-07 01:33 UTCEG score recompute
- 2026-07-07 01:33 UTCVendor advisory
- 2026-07-06 21:42 UTCEG score recompute
- 2026-07-06 21:42 UTCVendor advisory
- 2026-07-06 17:54 UTCEG score recompute
- 2026-07-06 17:54 UTCVendor advisory
- 2026-07-06 14:03 UTCEG score recompute
- 2026-07-06 14:03 UTCVendor advisory
- 2026-07-06 10:12 UTCEG score recompute
- 2026-07-06 10:12 UTCVendor advisory
- 2026-07-06 06:23 UTCEG score recompute
- 2026-07-06 06:23 UTCVendor advisory
- 2026-07-06 02:35 UTCEG score recompute
- 2026-07-06 02:35 UTCVendor advisory
- 2026-07-05 22:47 UTCEG score recompute
- 2026-07-05 22:47 UTCVendor advisory
- 2026-07-05 18:59 UTCEG score recompute
- 2026-07-05 18:59 UTCVendor advisory
- 2026-07-05 15:11 UTCEG score recompute
- 2026-07-05 15:11 UTCVendor advisory
- 2026-07-05 11:23 UTCEG score recompute
- 2026-07-05 11:23 UTCVendor advisory
- 2026-07-05 07:35 UTCEG score recompute
- 2026-07-05 07:35 UTCVendor advisory
- 2026-07-05 03:48 UTCEG score recompute
- 2026-07-05 03:48 UTCVendor advisory
- 2026-07-04 23:58 UTCEG score recompute
- 2026-07-04 23:58 UTCVendor advisory
- 2026-07-04 20:10 UTCEG score recompute
- 2026-07-04 20:10 UTCVendor advisory
- 2026-07-04 16:23 UTCEG score recompute
- 2026-07-04 16:23 UTCVendor advisory
- 2026-07-04 12:34 UTCEG score recompute
- 2026-07-04 12:34 UTCVendor advisory
Publicly available exploits
(3 references)Working exploit code is in the public domain (2 GitHub PoCs) (1 Exploit-DB entry). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.
- Open source ↗GitHub PoChoneyb33z/cve-2020-11023-scannerFirst seen Jan 30, 2025
- GitHub PoCCybernegro/CVE-2020-11023First seen Jan 3, 2024
CVE-2020-11023 PoC for bug bounty.
Open source ↗ - Exploit-DBEDB-49767First seen Apr 14, 2021
jQuery 1.0.3 - Cross-Site Scripting (XSS)
Open source ↗
Frequently asked(6)
What is CVE-2020-11023?
When was CVE-2020-11023 disclosed?
Is CVE-2020-11023 actively exploited?
What is the CVSS score of CVE-2020-11023?
Which products are affected by CVE-2020-11023?
How do I remediate CVE-2020-11023?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2020-11023
Is Your Infrastructure Affected by CVE-2020-11023?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.