vulnfeedby Novadyne

CVE-2019-11358: jQuery prototype pollution

npm · jquery · EPSS data as of 2026-06-18 · page generated 2026-06-18

CVE-2019-11358 (jQuery prototype pollution) is a prototype pollution vulnerability in jquery (npm). As of 2026-06-18 it carries a very high 87.2% probability of exploitation in the next 30 days (EPSS). It is fixed in 3.4.0 — if you depend on an earlier version, upgrade.

SeverityLow
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS (exploit probability, 30d)87.2% · 100th percentile
Vulnerability typePrototype Pollution
Affected packagejquery (npm)
Fixed in3.4.0

What is CVE-2019-11358?

jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) so a crafted __proto__ payload can pollute Object.prototype, which can escalate to property injection or, in some apps, code execution.

Is CVE-2019-11358 exploitable?

CVE-2019-11358 has an EPSS score of 87.2% (100th percentile), meaning a very high 87.2% probability of exploitation in the next 30 days. Its CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, which scores as Low severity. It is a prototype pollution issue.

What is the EPSS score for CVE-2019-11358?

As of 2026-06-18, the EPSS exploit-prediction score for CVE-2019-11358 is 87.2% (100th percentile). EPSS estimates the probability that a vulnerability will be exploited in the wild within the next 30 days and is recomputed daily by FIRST.org.

How do I fix CVE-2019-11358?

Upgrade jquery to 3.4.0 or later. jQuery before 3.4.0 mishandles jQuery.extend(true, {}, ...) so a crafted __proto__ payload can pollute Object.prototype, which can escalate to property injection or, in some apps, code execution.

Am I affected by CVE-2019-11358?

You are affected if your project (directly or transitively) depends on a vulnerable version of jquery in the npm ecosystem. Check your lockfile for the resolved version, or scan automatically with VulnFeed.

Check your own project automatically

Don't eyeball every dependency by hand. VulnFeed reads your lockfile, checks it against the same advisory data, and ranks findings by EPSS — free, no signup (10 scans/day):

curl -s https://vulnfeed-api.novadyne.ai/vulnscan/query \
  -H 'content-type: application/json' \
  -d '{"ecosystem":"npm","package":"PKG","version":"VERSION"}'

Or run it inside Claude Code with no API key — uvx vulnfeed-mcp — and just ask "scan this project for vulnerabilities."

Get VulnFeed View on GitHub

Data sources: vulnerability metadata from OSV.dev and the National Vulnerability Database; exploit-probability (EPSS) from FIRST.org (recomputed daily; EPSS data shown here as of 2026-06-18). Page generated 2026-06-18.