CVE-2016-10735 in Bootstrap
Summary
by MITRE
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/21/2026
The vulnerability identified as CVE-2016-10735 represents a cross-site scripting vulnerability within the Bootstrap JavaScript components that affects versions prior to the specified secure releases. This issue specifically targets the data-target attribute functionality within Bootstrap's navigation and component systems, creating a pathway for malicious actors to inject harmful scripts into web applications that utilize these frontend frameworks. The vulnerability exists in both Bootstrap 3.x versions before 3.4.0 and Bootstrap 4.x-beta versions before 4.0.0-beta.2, indicating a widespread impact across multiple major versions of the framework.
The technical flaw manifests when the data-target attribute in Bootstrap components fails to properly sanitize user input before rendering it into the DOM. This attribute is commonly used to reference other elements within the page for functionality such as collapsing navigation menus, tab switching, and modal interactions. When malicious input is passed through this attribute without proper validation or encoding, the browser executes the injected JavaScript code as part of the normal page rendering process. This occurs because the framework does not adequately escape special characters or validate the target references, allowing attackers to inject script tags, event handlers, or other malicious payloads that can execute in the context of the user's browser session.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform various malicious activities including session hijacking, data theft, redirection to malicious sites, and manipulation of page content. Since Bootstrap is widely adopted across numerous websites and web applications, the potential attack surface is extensive, affecting both enterprise applications and consumer-facing sites. The vulnerability particularly impacts web applications that allow user-generated content to influence navigation or component targeting, making it a significant concern for content management systems, forums, and any platform where user input is processed through Bootstrap's JavaScript components. This vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and can be categorized under the ATT&CK technique T1211 for exploiting weaknesses in web applications through client-side vulnerabilities.
Mitigation strategies for CVE-2016-10735 require immediate implementation of version upgrades to Bootstrap 3.4.0 or later 3.x releases, and Bootstrap 4.0.0-beta.2 or later 4.x releases, as these versions contain the necessary patches to address the sanitization issues. Organizations should also implement input validation and sanitization measures at the application level to prevent malicious data from reaching the Bootstrap components, particularly when user input is used in data-target attributes. Additional defensive measures include implementing content security policies to restrict script execution, using proper HTML encoding for all dynamic content, and conducting regular security audits of web applications that utilize Bootstrap frameworks. Security teams should also consider implementing automated vulnerability scanning tools that can identify instances of vulnerable Bootstrap versions and improper usage of data-target attributes within their codebases to ensure comprehensive protection against this and similar client-side vulnerabilities.