JQuery Version in Nextcloud21/22

Hi Support

A vulnerability assessment for nextcloud 20.0.08 has come up with jQuery version 2.2.4 being still vulnerable. What’s the jQuery version in nextcloud 22 ? I don’t see any details for the same in the changelog.

Could you please help ?

You find the jQuery version in


On running nextcloud servers get

Example Nextcloud 22:

Put result (e.g. Nextcloud 22) in https://beautifier.io and search “jquery”:

w.fn = w.prototype = {
            jquery: "3.3.1",

Sorry. But this it is also only a number. Perhaps it is not correct.

Text in https://raw.githubusercontent.com/nextcloud/server/master/core/js/dist/main.js

 * jQuery JavaScript Library v3.3.1
 * https://jquery.com/
 * Includes Sizzle.js
 * https://sizzlejs.com/
 * Copyright JS Foundation and other contributors
 * Released under the MIT license
 * https://jquery.org/license
 * Date: 2018-01-20T17:24Z

Found also an issue corresponding jQuery and new versions.

Thanks for the reply. I see that its still 3.3.1. As per the assessment[URL given below], they expect version 3.5.0 or above.
Is this product[nextcloud 20.X or above] affected by the below vulnerability ?


I am facing the same issue as well. I have upgraded to Nextcloud 22 with jquery version 3.3.1 but it is still vulnerable to below CVEs. Any update from Nextcloud support on this?

This is the community forum and not the right place to address such issues.

Please check Issues · nextcloud/server · GitHub for already reported security issues.
If nothing is there, please file a new one.

Thank you for taking care of such issues.

Hi @rakekniven

Can you please advise how we can check already created security issues now?
As I see now this resource https://hackerone.com/nextcloud?type=team&view_policy=true is not really a bug tracker where I can check already created issues.

I looking for a way to report about jquery 3.3.1 issues regarding

The problematic functions have been patched out since a long time so although an older version is used the Nextcloud code base is not vulnerable