Despite how often scanners flag them, jQuery 3.6.0 vulnerabilities in jQuery core are effectively nonexistent — no CVE has been assigned against jQuery core version 3.6.0 itself. The last security fixes in the jQuery core line landed in 3.5.0 (April 2020), and every release since, including 3.6.0 and 3.7.1, ships without a known direct core vulnerability. So when a tool marks your 3.6.0 as risky, the honest first question is: is this a real finding, or a misattributed pre-3.5.0 CVE? This post untangles that.
Are there real jQuery 3.6.0 vulnerabilities in the core library?
No known ones in the core. The jQuery security fixes people remember all predate 3.6.0:
- CVE-2020-11022 and CVE-2020-11023 — cross-site scripting through jQuery's DOM manipulation methods (like
html()) when passed HTML from untrusted sources. Both were fixed in3.5.0. Versions earlier than3.5.0are affected;3.6.0is not. - CVE-2019-11358 — prototype pollution in
jQuery.extend(true, ...). Fixed in3.4.0, so again not present in3.6.0. - CVE-2015-9251 — XSS via cross-domain AJAX responses. Fixed back in
3.0.0.
Because 3.6.0 (released March 2021) sits above all of those fix versions, it carries none of them. The same is true of 3.7.1: searching for jquery 3.7.1 vulnerabilities in the core turns up no assigned CVE either. That does not mean your application is safe — it means the library file is not the problem.
Why do scanners keep flagging jQuery 3.6.0 then?
Several patterns produce a 3.6.0 alert that is not a real core vulnerability:
- Misattribution from imprecise version ranges. Some vulnerability databases record affected ranges loosely, and a scanner that reads "jQuery XSS" without pinning the exact fixed version may light up any jQuery it sees.
- jQuery UI, not jQuery. jQuery UI is a separate library with its own CVEs (for example, XSS issues in older
jquery-uiversions). A scanner or a human can easily conflate the two — a jQuery UI finding is not a jQuery core finding. This distinction matters more with jQuery UI than with core: the XSS advisories CVE-2021-41182, CVE-2021-41183, and CVE-2021-41184 affectjquery-uireleases before1.13.0, so jquery ui 1.12.1 vulnerabilities are a real, assigned-CVE concern, while jquery ui 1.13.2 vulnerabilities largely are not — 1.13.2 sits above the fixed line for that set of advisories. - Plugins and jQuery Migrate. Third-party jQuery plugins and old Migrate shims have their own vulnerability histories. The finding may be pointing at code bundled alongside jQuery, not jQuery itself.
- Policy rules, not CVEs. Some tools flag "outdated library" against a version-currency policy.
3.6.0is behind the latest, which trips an age rule even with no known vulnerability.
The practical move is to read the finding precisely: which package, which exact CVE, which fixed-in version. Half of jQuery 3.6.0 alerts dissolve once you confirm the CVE was fixed in 3.5.0 or applies to a different package. Good tooling shows you that fixed-in version and the exact affected range so you are not guessing — that precision is the whole point of reachability-aware SCA.
Where does the exploitable jQuery risk actually live?
The real risk with jQuery is almost always how you use it, not the version number.
Passing untrusted HTML to manipulation methods. Even on patched jQuery, calling $(el).html(userControlledString) or $(untrustedHtml) injects live markup. The 3.5.0 fix hardened some internal parsing, but it never made it safe to feed attacker-controlled HTML into these methods. If user input reaches html(), append(), before(), or a jQuery constructor call as raw HTML, you have a DOM-based XSS regardless of jQuery version.
Selector injection. Building a jQuery selector from user input ($("#" + userInput)) can lead to unexpected DOM matching or, in old versions, HTML execution.
Ecosystem debt. Outdated jQuery UI, abandoned plugins, and ancient Migrate shims carry genuine CVEs. These are separate dependencies with their own upgrade paths.
In other words: your 3.6.0 file is fine; your $(...).html(input) call may not be. That distinction is what separates a real fix from churn.
Should you upgrade from 3.6.0 anyway?
Usually yes, but for maintenance reasons rather than a live exploit. Upgrading 3.6.0 to 3.7.1 is a small, low-risk bump that clears version-currency policy alerts, keeps you on a supported line, and reduces the noise of recurring "outdated" findings. It will not fix a real vulnerability, because there is not one in core to fix — set expectations accordingly so nobody treats the bump as closing an active hole.
The higher-value work is auditing usage: grep for .html(, .append(, and $( calls that take variables, confirm any user-influenced input is sanitized or set as text (.text()) rather than HTML, and inventory your jQuery UI and plugin versions, which are where actual assigned CVEs hide. Wiring both the dependency check and that usage pattern into CI turns a recurring manual scramble into a gate; we cover that pipeline work across the blog.
FAQ
Is jQuery 3.6.0 safe to use in production?
The jQuery core 3.6.0 file has no known direct CVEs, so it is not inherently unsafe. Whether your application is safe depends on how you use it — feeding untrusted HTML into html() or append() creates XSS on any jQuery version. Keep 3.6.0 if you must, but audit those usage patterns and your plugins.
Do jQuery 3.7.1 vulnerabilities exist?
No assigned CVE affects jQuery core 3.7.1 at the time of writing; like 3.6.0, it sits above the last core security fix in 3.5.0. Alerts against 3.7.1 are almost always version-currency policy rules, jQuery UI or plugin findings, or misattributed older CVEs — verify the exact CVE and package before acting.
What jQuery version fixed the XSS CVEs?
Version 3.5.0 (April 2020) fixed CVE-2020-11022 and CVE-2020-11023, the cross-site scripting issues in DOM manipulation methods. Prototype pollution (CVE-2019-11358) was fixed earlier in 3.4.0. Any jQuery at 3.5.0 or above is clear of those specific CVEs.
Why does my scanner flag jQuery 3.6.0 if there's no CVE?
Most often it is a version-currency rule flagging 3.6.0 as outdated, a finding that actually belongs to jQuery UI or a plugin, or a database entry with an imprecise affected range. Open the finding and check the exact CVE and its fixed-in version — if that version is 3.5.0 or lower, 3.6.0 is not affected.