VulnerableCode Package Details - pkg:deb/debian/node-jquery@3.6.1%2Bdfsg%2B~3.5.14-1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-3s9f-prpy-hbcx	Cross-site Scripting The jQuery library, which is included in rdoc, mishandles `jQuery.extend(true, {}, ...)` because of Object.prototype pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype.`	CVE-2019-11358 GHSA-6c3j-c64m-qhgq
VCID-5618-53yg-8qh4	Potential XSS vulnerability in jQuery ### Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround the issue without upgrading, adding the following to your code: ```js jQuery.htmlPrefilter = function( html ) { return html; }; ``` You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.	CVE-2020-11022 GHSA-gxr4-xjj5-5px2
VCID-cvxp-ctj9-guej	Potential XSS vulnerability in jQuery ### Impact Passing HTML containing `<option>` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround this issue without upgrading, use [DOMPurify](https://github.com/cure53/DOMPurify) with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.	CVE-2020-11023 GHSA-jpcq-cgw6-v4j6

Vulnerability

Summary

Aliases

VCID-3s9f-prpy-hbcx

Cross-site Scripting The jQuery library, which is included in rdoc, mishandles `jQuery.extend(true, {}, ...)` because of Object.prototype pollution. If an unsanitized source object contained an enumerable `__proto__` property, it could extend the native `Object.prototype.`

CVE-2019-11358
GHSA-6c3j-c64m-qhgq

VCID-5618-53yg-8qh4

Potential XSS vulnerability in jQuery ### Impact Passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround the issue without upgrading, adding the following to your code: ```js jQuery.htmlPrefilter = function( html ) { return html; }; ``` You need to use at least jQuery 1.12/2.2 or newer to be able to apply this workaround. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ https://jquery.com/upgrade-guide/3.5/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.

CVE-2020-11022
GHSA-gxr4-xjj5-5px2

VCID-cvxp-ctj9-guej

Potential XSS vulnerability in jQuery ### Impact Passing HTML containing `<option>` elements from untrusted sources - even after sanitizing them - to one of jQuery's DOM manipulation methods (i.e. `.html()`, `.append()`, and others) may execute untrusted code. ### Patches This problem is patched in jQuery 3.5.0. ### Workarounds To workaround this issue without upgrading, use [DOMPurify](https://github.com/cure53/DOMPurify) with its `SAFE_FOR_JQUERY` option to sanitize the HTML string before passing it to a jQuery method. ### References https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/ ### For more information If you have any questions or comments about this advisory, search for a relevant issue in [the jQuery repo](https://github.com/jquery/jquery/issues). If you don't find an answer, open a new issue.

CVE-2020-11023
GHSA-jpcq-cgw6-v4j6

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T12:07:54.382969+00:00	Debian Importer	Fixing	VCID-3s9f-prpy-hbcx	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:49:47.843188+00:00	Debian Importer	Fixing	VCID-cvxp-ctj9-guej	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:41:20.845541+00:00	Debian Importer	Fixing	VCID-5618-53yg-8qh4	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T08:17:45.845096+00:00	Debian Importer	Fixing	VCID-3s9f-prpy-hbcx	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T06:34:09.099640+00:00	Debian Importer	Fixing	VCID-cvxp-ctj9-guej	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:50:23.322954+00:00	Debian Importer	Fixing	VCID-5618-53yg-8qh4	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:47:09.877224+00:00	Debian Importer	Fixing	VCID-cvxp-ctj9-guej	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:47:09.842773+00:00	Debian Importer	Fixing	VCID-5618-53yg-8qh4	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:47:09.802593+00:00	Debian Importer	Fixing	VCID-3s9f-prpy-hbcx	https://security-tracker.debian.org/tracker/data/json	38.1.0