CVE-2016-10735
Description
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2 via the data-target attribute.
Vulnerability
Bootstrap versions 3.x prior to 3.4.0 and 4.x-beta prior to 4.0.0-beta.2 are vulnerable to cross-site scripting (XSS) due to improper sanitization of the data-target attribute in the tabs component [1]. An attacker can inject arbitrary HTML/JavaScript into this attribute, which is executed when the tab is activated [2].
Exploitation
An attacker needs to craft a malicious link or element with a data-target attribute containing JavaScript code (e.g., javascript:alert(1)). This can be delivered via a user clicking on a tab or navigating to a page with malicious content. No authentication is required if the attacker can inject content into a page using Bootstrap [1][2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser, leading to potential information disclosure, session hijacking, or defacement. The attack does not require elevated privileges [1].
Mitigation
The fix was released in Bootstrap 3.4.0 and 4.0.0-beta.2 [2][3]. Users should upgrade to these versions or later. Red Hat also provided an update via RHBA-2019:1076 [1]. No workaround is available without patching.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bootstrapnpm | >= 2.0.4, < 3.4.0 | 3.4.0 |
bootstrapnpm | >= 4.0.0-beta, < 4.0.0-beta.2 | 4.0.0-beta.2 |
org.webjars:bootstrapMaven | >= 2.0.4, < 3.4.0 | 3.4.0 |
org.webjars:bootstrapMaven | >= 4.0.0-beta, < 4.0.0-beta.2 | 4.0.0-beta.2 |
bootstrapRubyGems | < 4.0.0-beta.2 | 4.0.0-beta.2 |
twbs/bootstrapPackagist | >= 2.0.4, < 3.4.0 | 3.4.0 |
twbs/bootstrapPackagist | >= 4.0.0-beta, < 4.0.0-beta.2 | 4.0.0-beta.2 |
bootstrapNuGet | >= 2.0.4, < 3.4.0 | 3.4.0 |
bootstrapNuGet | >= 4.0.0-beta, < 4.0.0-beta.2 | 4.0.0-beta.2 |
bootstrap-sassnpm | >= 2.0.4, < 3.4.0 | 3.4.0 |
bootstrap-sassRubyGems | >= 2.0.4, < 3.4.0 | 3.4.0 |
bootstrap.sassNuGet | >= 4.0.0-beta, < 4.0.0-beta.2 | 4.0.0-beta.2 |
Affected products
50- osv-coords49 versionspkg:apk/chainguard/grafana-10.4pkg:apk/chainguard/grafana-10.4-oci-compatpkg:apk/chainguard/grafana-11.2pkg:apk/chainguard/grafana-11.2-oci-compatpkg:apk/chainguard/grafana-11.3pkg:apk/chainguard/grafana-11.3-oci-compatpkg:apk/chainguard/grafana-11.4pkg:apk/chainguard/grafana-11.4-oci-compatpkg:apk/chainguard/grafana-11.5pkg:apk/chainguard/grafana-11.5-oci-compatpkg:apk/chainguard/grafana-11.6pkg:apk/chainguard/grafana-11.6-oci-compatpkg:apk/chainguard/grafana-fips-11.2pkg:apk/chainguard/grafana-fips-11.2-oci-compatpkg:apk/chainguard/grafana-fips-11.3pkg:apk/chainguard/grafana-fips-11.3-oci-compatpkg:apk/chainguard/grafana-fips-11.4pkg:apk/chainguard/grafana-fips-11.4-oci-compatpkg:apk/chainguard/grafana-fips-11.5pkg:apk/chainguard/grafana-fips-11.5-oci-compatpkg:apk/chainguard/grafana-fips-11.6pkg:apk/chainguard/grafana-fips-11.6-oci-compatpkg:apk/wolfi/grafana-10.4pkg:apk/wolfi/grafana-11.2pkg:apk/wolfi/grafana-11.2-oci-compatpkg:apk/wolfi/grafana-11.3pkg:apk/wolfi/grafana-11.3-oci-compatpkg:apk/wolfi/grafana-11.4pkg:apk/wolfi/grafana-11.4-oci-compatpkg:apk/wolfi/grafana-11.5pkg:apk/wolfi/grafana-11.5-oci-compatpkg:apk/wolfi/grafana-11.6pkg:apk/wolfi/grafana-11.6-oci-compatpkg:composer/twbs/bootstrappkg:gem/bootstrappkg:gem/bootstrap-sasspkg:maven/org.webjars/bootstrappkg:npm/bootstrappkg:npm/bootstrap-sasspkg:nuget/bootstrappkg:nuget/bootstrap.sasspkg:rpm/almalinux/custodiapkg:rpm/almalinux/python3-custodiapkg:rpm/almalinux/python3-jwcryptopkg:rpm/almalinux/python3-kdcproxypkg:rpm/almalinux/python3-pyusbpkg:rpm/almalinux/python3-qrcodepkg:rpm/almalinux/python3-qrcode-corepkg:rpm/almalinux/python3-yubico
< 10.4.19.01-r4+ 48 more
- (no CPE)range: < 10.4.19.01-r4
- (no CPE)range: < 10.4.19.01-r4
- (no CPE)range: < 11.2.10.01-r7
- (no CPE)range: < 11.2.10.01-r7
- (no CPE)range: < 11.3.9-r5
- (no CPE)range: < 11.3.9-r5
- (no CPE)range: < 11.4.8-r2
- (no CPE)range: < 11.4.8-r2
- (no CPE)range: < 11.5.10-r0
- (no CPE)range: < 11.5.10-r0
- (no CPE)range: < 11.6.7-r0
- (no CPE)range: < 11.6.7-r0
- (no CPE)range: < 11.2.10.01-r6
- (no CPE)range: < 11.2.10.01-r6
- (no CPE)range: < 11.3.9-r4
- (no CPE)range: < 11.3.9-r4
- (no CPE)range: < 11.4.8-r2
- (no CPE)range: < 11.4.8-r2
- (no CPE)range: < 11.5.10-r0
- (no CPE)range: < 11.5.10-r0
- (no CPE)range: < 11.6.7-r0
- (no CPE)range: < 11.6.7-r0
- (no CPE)range: < 10.4.19.01-r4
- (no CPE)range: < 11.2.10.01-r7
- (no CPE)range: < 11.2.10.01-r7
- (no CPE)range: < 11.3.9-r5
- (no CPE)range: < 11.3.9-r5
- (no CPE)range: < 11.4.8-r2
- (no CPE)range: < 11.4.8-r2
- (no CPE)range: < 11.5.10-r0
- (no CPE)range: < 11.5.10-r0
- (no CPE)range: < 11.6.7-r0
- (no CPE)range: < 11.6.7-r0
- (no CPE)range: >= 2.0.4, < 3.4.0
- (no CPE)range: < 4.0.0-beta.2
- (no CPE)range: >= 2.0.4, < 3.4.0
- (no CPE)range: >= 2.0.4, < 3.4.0
- (no CPE)range: >= 2.0.4, < 3.4.0
- (no CPE)range: >= 2.0.4, < 3.4.0
- (no CPE)range: >= 2.0.4, < 3.4.0
- (no CPE)range: >= 4.0.0-beta, < 4.0.0-beta.2
- (no CPE)range: < 0.6.0-3.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 0.6.0-3.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 0.5.0-1.module_el8.5.0+2641+983b221b
- (no CPE)range: < 0.4-5.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 1.0.0-9.module_el8.5.0+2641+983b221b
- (no CPE)range: < 5.1-12.module_el8.6.0+2881+2f24dc92
- (no CPE)range: < 5.1-12.module_el8.6.0+2737+7e73ea90
- (no CPE)range: < 1.3.2-9.module_el8.5.0+2641+983b221b
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
20- access.redhat.com/errata/RHBA-2019:1076ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHBA-2019:1570ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:1456ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:3023ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0132ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2020:0133ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-4p24-vmcr-4gqjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10735ghsaADVISORY
- blog.getbootstrap.com/2018/07/12/bootstrap-4-1-2ghsaWEB
- blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0ghsaWEB
- blog.getbootstrap.com/2018/12/13/bootstrap-3-4-0/mitrex_refsource_MISC
- github.com/github/advisory-database/pull/3281ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap-sass/CVE-2016-10735.ymlghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2016-10735.ymlghsaWEB
- github.com/twbs/bootstrap/issues/20184ghsax_refsource_MISCWEB
- github.com/twbs/bootstrap/issues/27915ghsax_refsource_MISCWEB
- github.com/twbs/bootstrap/pull/23679ghsax_refsource_MISCWEB
- github.com/twbs/bootstrap/pull/23687ghsax_refsource_MISCWEB
- github.com/twbs/bootstrap/pull/26460ghsax_refsource_MISCWEB
- www.tenable.com/security/tns-2021-14mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.