Bump actions/upload-artifact from 5 to 6 #11

dependabot · 2025-12-15T09:28:49Z

Bumps actions/upload-artifact from 5 to 6.

Release notes

Sourced from actions/upload-artifact's releases.

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Upload Artifact Node 24 support by @salmanmkc in actions/upload-artifact#719

fix: update @actions/artifact for Node.js 24 punycode deprecation by @salmanmkc in actions/upload-artifact#744

prepare release v6.0.0 for Node.js 24 support by @salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

Commits

b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
e516bc8 docs: correct description of Node.js 24 support in README
ddc45ed docs: update README to correct action name for Node.js 24 support
615b319 chore: release v6.0.0 for Node.js 24 support
017748b Merge pull request #744 from actions/fix-storage-blob
38d4c79 chore: rebuild dist
7d27270 chore: add missing license cache files for @actions/core, @actions/io, and mi...
5f643d3 chore: update license files for @actions/artifact@5.0.1 dependencies
1df1684 chore: update package-lock.json with @actions/artifact@5.0.1
b5b1a91 fix: update @actions/artifact to ^5.0.0 for Node.js 24 punycode fix
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 6. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v5...v6) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

JLP04

Approved.

github-actions · 2026-01-28T03:26:26Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-01-28T03:26:30Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:7cec1838360c9fbbfc8bc0e667bb7999124683c8ca3ed45e68c3d49545b06660`
vulnerabilities
platform	linux/386
size	9.4 GB
packages	956

📦 Base Image debian:13

also known as	`13.3` `latest` `trixie` `trixie-20260112`
digest	`sha256:17e1b73fa4f3383f5fe8d3423697f31f70d5c0acfbad77ce471ce75cda5d2b66`
vulnerabilities

stdlib 1.25.4 (golang)

pkg:golang/stdlib@1.25.4

# Dockerfile (241:241)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (227:227)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.535%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.937%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`20.555%`
EPSS Percentile	`95th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-01-28T03:26:33Z

Recommended fixes for image (linux/386) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.3
Digest	sha256:17e1b73fa4f3383f5fe8d3423697f31f70d5c0acfbad77ce471ce75cda5d2b66
Vulnerabilities
Pushed	2 weeks ago
Size	51 MB
Packages	111
OS	13.3

The base image is also available under the supported tag(s): 13, 13.3, trixie, trixie-20260112

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-01-28T03:26:56Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`82f479053206`	`7cec1838360c`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/10/merge/commit/4a2cc7daafb000b33b63d0cdd546cf4d8af2098d	https://github.com/JLP04/docker-elevation-generator.git#570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2/commit/570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2
- vulnerabilities
- platform	linux/386	linux/386
- size	9.4 GB	9.4 GB (+460 kB)
- packages	956	956
Base Image	`debian:latest` also known as: • `13` • `trixie`	`debian:latest` also known as: • `13` • `13.3` • `trixie` • `trixie-20260112`
- vulnerabilities

Packages and Vulnerabilities (55 package changes and 6 vulnerability changes)

➕ 7 packages added

➖ 7 packages removed

♾️ 41 packages changed

554 packages unchanged

✔️ 6 vulnerabilities removed

Changes for packages of type deb (41 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	base-files	`13.8+deb13u2`	`13.8+deb13u3`
♾️	bash	`5.2.37-2+b5`	`5.2.37-2+b7`
♾️	comerr-dev	`2.1-1.47.2-3+b3`	`2.1-1.47.2-3+b7`
♾️	gir1.2-glib-2.0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	gir1.2-glib-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	girepository-tools	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libavcodec-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavcodec61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil59	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libc-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc-dev-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6-dev	`2.41-12`	`2.41-12+deb13u1`
♾️	libcap-dev	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcap2	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcom-err2	`1.47.2-3+b3`	`1.47.2-3+b7`
♾️	libgio-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgio-2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgirepository-2.0-0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-0t64	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-data	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgnutls-dane0t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls-openssl27t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls28-dev	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls30t64	`3.8.9-3`	`3.8.9-3+deb13u1`

		Removed vulnerabilities (1):
♾️	libmbedcrypto16	`3.6.4-2`	`3.6.5-0.1~deb13u1`
♾️	libpng-dev	`1.6.48-1`	`1.6.48-1+deb13u1`
♾️	libpng16-16t64	`1.6.48-1`	`1.6.48-1+deb13u1`

		Removed vulnerabilities (5):
♾️	libsodium23	`1.0.18-1+b2`	`1.0.18-1+deb13u1`
♾️	libswresample-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswresample5	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale8	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	linux-libc-dev	`6.12.57-1`	`6.12.63-1`
♾️	sqv	`1.3.0-3`	`1.3.0-3+b2`

Changes for packages of type golang (14 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	github.com/cespare/xxhash/v2		`2.3.0`
➖	github.com/cespare/xxhash/v2	`2.3.0`
➖	github.com/cpuguy83/go-md2man/v2	`2.0.7`
➕	github.com/cpuguy83/go-md2man/v2		`2.0.7`
➕	github.com/russross/blackfriday/v2		`2.1.0`
➖	github.com/russross/blackfriday/v2	`2.1.0`
➕	github.com/schollz/cli/v2		`2.2.1`
➖	github.com/schollz/cli/v2	`2.2.1`
➕	github.com/schollz/croc/v10		`UNKNOWN`
➖	github.com/schollz/croc/v10	`UNKNOWN`
➖	github.com/schollz/pake/v3	`3.1.0`
➕	github.com/schollz/pake/v3		`3.1.0`
➖	github.com/schollz/progressbar/v3	`3.18.0`
➕	github.com/schollz/progressbar/v3		`3.18.0`

github-actions · 2026-01-28T03:27:15Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-01-28T03:27:19Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:e5f02f9e8c4b957d8db45632b8cbedb3ac176a16f83ac128fa59c7aec493cde9`
vulnerabilities
platform	linux/amd64
size	9.4 GB
packages	960

📦 Base Image debian:13

also known as	`13.3` `latest` `trixie` `trixie-20260112`
digest	`sha256:a3b5f4f0286249a124bfe9845b3aec0f88de32ff31dd8d7e1b945f9f98d116b0`
vulnerabilities

stdlib 1.25.4 (golang)

pkg:golang/stdlib@1.25.4

# Dockerfile (241:241)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (227:227)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.535%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.937%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`20.555%`
EPSS Percentile	`95th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-01-28T03:27:22Z

Recommended fixes for image (linux/amd64) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.3
Digest	sha256:a3b5f4f0286249a124bfe9845b3aec0f88de32ff31dd8d7e1b945f9f98d116b0
Vulnerabilities
Pushed	2 weeks ago
Size	49 MB
Packages	111
OS	13.3

The base image is also available under the supported tag(s): 13, 13.3, trixie, trixie-20260112

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-01-28T03:27:44Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`6d931efd1207`	`e5f02f9e8c4b`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/10/merge/commit/4a2cc7daafb000b33b63d0cdd546cf4d8af2098d	https://github.com/JLP04/docker-elevation-generator.git#570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2/commit/570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	9.4 GB	9.4 GB (+3.4 MB)
- packages	960	960
Base Image	`debian:latest` also known as: • `13` • `trixie`	`debian:latest` also known as: • `13` • `13.3` • `trixie` • `trixie-20260112`
- vulnerabilities

Packages and Vulnerabilities (59 package changes and 6 vulnerability changes)

➕ 7 packages added

➖ 7 packages removed

♾️ 45 packages changed

554 packages unchanged

✔️ 6 vulnerabilities removed

Changes for packages of type deb (45 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	base-files	`13.8+deb13u2`	`13.8+deb13u3`
♾️	bash	`5.2.37-2+b5`	`5.2.37-2+b7`
♾️	comerr-dev	`2.1-1.47.2-3+b3`	`2.1-1.47.2-3+b7`
♾️	gir1.2-glib-2.0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	gir1.2-glib-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	girepository-tools	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libavcodec-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavcodec61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil59	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libc-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc-dev-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6-dev	`2.41-12`	`2.41-12+deb13u1`
♾️	libcap-dev	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcap2	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcom-err2	`1.47.2-3+b3`	`1.47.2-3+b7`
♾️	libgio-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgio-2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgirepository-2.0-0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-0t64	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-data	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgnutls-dane0t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls-openssl27t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls28-dev	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls30t64	`3.8.9-3`	`3.8.9-3+deb13u1`

		Removed vulnerabilities (1):
♾️	libmbedcrypto16	`3.6.4-2`	`3.6.5-0.1~deb13u1`
♾️	libpng-dev	`1.6.48-1`	`1.6.48-1+deb13u1`
♾️	libpng16-16t64	`1.6.48-1`	`1.6.48-1+deb13u1`

		Removed vulnerabilities (5):
♾️	libsodium23	`1.0.18-1+b2`	`1.0.18-1+deb13u1`
♾️	libssl-dev	`3.5.4-1~deb13u1`	`3.5.4-1~deb13u2`
♾️	libssl3t64	`3.5.4-1~deb13u1`	`3.5.4-1~deb13u2`
♾️	libswresample-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswresample5	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale8	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	linux-libc-dev	`6.12.57-1`	`6.12.63-1`
♾️	openssl	`3.5.4-1~deb13u1`	`3.5.4-1~deb13u2`
♾️	openssl-provider-legacy	`3.5.4-1~deb13u1`	`3.5.4-1~deb13u2`
♾️	sqv	`1.3.0-3`	`1.3.0-3+b2`

Changes for packages of type golang (14 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➖	github.com/cespare/xxhash/v2	`2.3.0`
➕	github.com/cespare/xxhash/v2		`2.3.0`
➖	github.com/cpuguy83/go-md2man/v2	`2.0.7`
➕	github.com/cpuguy83/go-md2man/v2		`2.0.7`
➕	github.com/russross/blackfriday/v2		`2.1.0`
➖	github.com/russross/blackfriday/v2	`2.1.0`
➖	github.com/schollz/cli/v2	`2.2.1`
➕	github.com/schollz/cli/v2		`2.2.1`
➕	github.com/schollz/croc/v10		`UNKNOWN`
➖	github.com/schollz/croc/v10	`UNKNOWN`
➖	github.com/schollz/pake/v3	`3.1.0`
➕	github.com/schollz/pake/v3		`3.1.0`
➕	github.com/schollz/progressbar/v3		`3.18.0`
➖	github.com/schollz/progressbar/v3	`3.18.0`

github-actions · 2026-01-28T03:28:03Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-01-28T03:28:08Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:25a1dfe08ceadbd4b140ebec60ebdf01f0eba1e4010a919eacd642fe6c79bddd`
vulnerabilities
platform	linux/arm/v5
size	9.4 GB
packages	944

📦 Base Image debian:13

also known as	`13.3` `latest` `trixie` `trixie-20260112`
digest	`sha256:9c6f0ddc0d42a4a988ed1b7355995b442258fd1e3f7eb4f5ad70739a18ac2978`
vulnerabilities

stdlib 1.25.4 (golang)

pkg:golang/stdlib@1.25.4

# Dockerfile (241:241)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (227:227)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.535%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.937%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`20.555%`
EPSS Percentile	`95th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-01-28T03:28:12Z

Recommended fixes for image (linux/arm/v5) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.3
Digest	sha256:9c6f0ddc0d42a4a988ed1b7355995b442258fd1e3f7eb4f5ad70739a18ac2978
Vulnerabilities
Pushed	2 weeks ago
Size	47 MB
Packages	112
OS	13.3

The base image is also available under the supported tag(s): 13, 13.3, trixie, trixie-20260112

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-01-28T03:28:34Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`07cc15226157`	`25a1dfe08cea`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/10/merge/commit/4a2cc7daafb000b33b63d0cdd546cf4d8af2098d	https://github.com/JLP04/docker-elevation-generator.git#570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2/commit/570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2
- vulnerabilities
- platform	linux/arm	linux/arm
- size	9.4 GB	9.4 GB (+470 kB)
- packages	944	944
Base Image	`debian:latest` also known as: • `13` • `trixie`	`debian:latest` also known as: • `13` • `13.3` • `trixie` • `trixie-20260112`
- vulnerabilities

Packages and Vulnerabilities (55 package changes and 6 vulnerability changes)

➕ 7 packages added

➖ 7 packages removed

♾️ 41 packages changed

550 packages unchanged

✔️ 6 vulnerabilities removed

Changes for packages of type deb (41 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	base-files	`13.8+deb13u2`	`13.8+deb13u3`
♾️	bash	`5.2.37-2+b5`	`5.2.37-2+b7`
♾️	comerr-dev	`2.1-1.47.2-3+b3`	`2.1-1.47.2-3+b7`
♾️	gir1.2-glib-2.0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	gir1.2-glib-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	girepository-tools	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libavcodec-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavcodec61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil59	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libc-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc-dev-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6-dev	`2.41-12`	`2.41-12+deb13u1`
♾️	libcap-dev	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcap2	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcom-err2	`1.47.2-3+b3`	`1.47.2-3+b7`
♾️	libgio-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgio-2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgirepository-2.0-0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-0t64	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-data	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgnutls-dane0t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls-openssl27t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls28-dev	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls30t64	`3.8.9-3`	`3.8.9-3+deb13u1`

		Removed vulnerabilities (1):
♾️	libmbedcrypto16	`3.6.4-2`	`3.6.5-0.1~deb13u1`
♾️	libpng-dev	`1.6.48-1`	`1.6.48-1+deb13u1`
♾️	libpng16-16t64	`1.6.48-1`	`1.6.48-1+deb13u1`

		Removed vulnerabilities (5):
♾️	libsodium23	`1.0.18-1+b2`	`1.0.18-1+deb13u1`
♾️	libswresample-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswresample5	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale8	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	linux-libc-dev	`6.12.57-1`	`6.12.63-1`
♾️	sqv	`1.3.0-3`	`1.3.0-3+b2`

Changes for packages of type golang (14 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	github.com/cespare/xxhash/v2		`2.3.0`
➖	github.com/cespare/xxhash/v2	`2.3.0`
➖	github.com/cpuguy83/go-md2man/v2	`2.0.7`
➕	github.com/cpuguy83/go-md2man/v2		`2.0.7`
➕	github.com/russross/blackfriday/v2		`2.1.0`
➖	github.com/russross/blackfriday/v2	`2.1.0`
➖	github.com/schollz/cli/v2	`2.2.1`
➕	github.com/schollz/cli/v2		`2.2.1`
➕	github.com/schollz/croc/v10		`UNKNOWN`
➖	github.com/schollz/croc/v10	`UNKNOWN`
➖	github.com/schollz/pake/v3	`3.1.0`
➕	github.com/schollz/pake/v3		`3.1.0`
➕	github.com/schollz/progressbar/v3		`3.18.0`
➖	github.com/schollz/progressbar/v3	`3.18.0`

github-actions · 2026-01-28T03:28:52Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-01-28T03:28:57Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:99330a9769f7f0e7df330f0e8a0e7e52daa0d9fa7698317984ac60e65f198926`
vulnerabilities
platform	linux/arm/v7
size	9.4 GB
packages	943

📦 Base Image debian:13

also known as	`13.3` `latest` `trixie` `trixie-20260112`
digest	`sha256:176e723940de737547aa302349e2d207a6b956c3b08e14998c35492a858b01d6`
vulnerabilities

stdlib 1.25.4 (golang)

pkg:golang/stdlib@1.25.4

# Dockerfile (241:241)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (227:227)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.535%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.937%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`20.555%`
EPSS Percentile	`95th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-01-28T03:29:00Z

Recommended fixes for image (linux/arm/v7) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.3
Digest	sha256:176e723940de737547aa302349e2d207a6b956c3b08e14998c35492a858b01d6
Vulnerabilities
Pushed	2 weeks ago
Size	46 MB
Packages	111
OS	13.3

The base image is also available under the supported tag(s): 13, 13.3, trixie, trixie-20260112

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-01-28T03:29:26Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`fe35696769f4`	`99330a9769f7`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/10/merge/commit/4a2cc7daafb000b33b63d0cdd546cf4d8af2098d	https://github.com/JLP04/docker-elevation-generator.git#570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2/commit/570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2
- vulnerabilities
- platform	linux/arm	linux/arm
- size	9.4 GB	9.4 GB (+2.7 MB)
- packages	943	943
Base Image	`debian:latest` also known as: • `13` • `trixie`	`debian:latest` also known as: • `13` • `13.3` • `trixie` • `trixie-20260112`
- vulnerabilities

Packages and Vulnerabilities (59 package changes and 6 vulnerability changes)

➕ 7 packages added

➖ 7 packages removed

♾️ 45 packages changed

546 packages unchanged

✔️ 6 vulnerabilities removed

Changes for packages of type deb (45 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	base-files	`13.8+deb13u2`	`13.8+deb13u3`
♾️	bash	`5.2.37-2+b5`	`5.2.37-2+b7`
♾️	comerr-dev	`2.1-1.47.2-3+b3`	`2.1-1.47.2-3+b7`
♾️	gir1.2-glib-2.0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	gir1.2-glib-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	girepository-tools	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libavcodec-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavcodec61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil59	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libc-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc-dev-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6-dev	`2.41-12`	`2.41-12+deb13u1`
♾️	libcap-dev	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcap2	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcom-err2	`1.47.2-3+b3`	`1.47.2-3+b7`
♾️	libgio-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgio-2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgirepository-2.0-0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-0t64	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-data	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgnutls-dane0t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls-openssl27t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls28-dev	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls30t64	`3.8.9-3`	`3.8.9-3+deb13u1`

		Removed vulnerabilities (1):
♾️	libmbedcrypto16	`3.6.4-2`	`3.6.5-0.1~deb13u1`
♾️	libpng-dev	`1.6.48-1`	`1.6.48-1+deb13u1`
♾️	libpng16-16t64	`1.6.48-1`	`1.6.48-1+deb13u1`

		Removed vulnerabilities (5):
♾️	libsodium23	`1.0.18-1+b2`	`1.0.18-1+deb13u1`
♾️	libssl-dev	`3.5.4-1~deb13u1`	`3.5.4-1~deb13u2`
♾️	libssl3t64	`3.5.4-1~deb13u1`	`3.5.4-1~deb13u2`
♾️	libswresample-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswresample5	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale8	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	linux-libc-dev	`6.12.57-1`	`6.12.63-1`
♾️	openssl	`3.5.4-1~deb13u1`	`3.5.4-1~deb13u2`
♾️	openssl-provider-legacy	`3.5.4-1~deb13u1`	`3.5.4-1~deb13u2`
♾️	sqv	`1.3.0-3`	`1.3.0-3+b2`

Changes for packages of type golang (14 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➖	github.com/cespare/xxhash/v2	`2.3.0`
➕	github.com/cespare/xxhash/v2		`2.3.0`
➕	github.com/cpuguy83/go-md2man/v2		`2.0.7`
➖	github.com/cpuguy83/go-md2man/v2	`2.0.7`
➖	github.com/russross/blackfriday/v2	`2.1.0`
➕	github.com/russross/blackfriday/v2		`2.1.0`
➖	github.com/schollz/cli/v2	`2.2.1`
➕	github.com/schollz/cli/v2		`2.2.1`
➕	github.com/schollz/croc/v10		`UNKNOWN`
➖	github.com/schollz/croc/v10	`UNKNOWN`
➕	github.com/schollz/pake/v3		`3.1.0`
➖	github.com/schollz/pake/v3	`3.1.0`
➖	github.com/schollz/progressbar/v3	`3.18.0`
➕	github.com/schollz/progressbar/v3		`3.18.0`

github-actions · 2026-01-28T03:29:46Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-01-28T03:29:51Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:9433d543bca16ac9a0685ebe629146e460f5022160b2f11042f3822b6e45455d`
vulnerabilities
platform	linux/arm64
size	9.4 GB
packages	957

📦 Base Image debian:13

also known as	`13.3` `latest` `trixie` `trixie-20260112`
digest	`sha256:319a89a0771bdd43f2a26108df05524ebf8ef5ddb368364f51a0bd00854532ed`
vulnerabilities

stdlib 1.25.4 (golang)

pkg:golang/stdlib@1.25.4

# Dockerfile (241:241)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (227:227)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.535%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.937%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`20.555%`
EPSS Percentile	`95th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-01-28T03:29:55Z

Recommended fixes for image (linux/arm64) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.3
Digest	sha256:319a89a0771bdd43f2a26108df05524ebf8ef5ddb368364f51a0bd00854532ed
Vulnerabilities
Pushed	2 weeks ago
Size	50 MB
Packages	111
OS	13.3

The base image is also available under the supported tag(s): 13, 13.3, trixie, trixie-20260112

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-01-28T03:30:18Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`f04dbd183349`	`9433d543bca1`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/10/merge/commit/4a2cc7daafb000b33b63d0cdd546cf4d8af2098d	https://github.com/JLP04/docker-elevation-generator.git#570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2/commit/570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	9.4 GB	9.4 GB (+422 kB)
- packages	957	957
Base Image	`debian:latest` also known as: • `13` • `trixie`	`debian:latest` also known as: • `13` • `13.3` • `trixie` • `trixie-20260112`
- vulnerabilities

Packages and Vulnerabilities (55 package changes and 6 vulnerability changes)

➕ 7 packages added

➖ 7 packages removed

♾️ 41 packages changed

556 packages unchanged

✔️ 6 vulnerabilities removed

Changes for packages of type deb (41 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	base-files	`13.8+deb13u2`	`13.8+deb13u3`
♾️	bash	`5.2.37-2+b5`	`5.2.37-2+b7`
♾️	comerr-dev	`2.1-1.47.2-3+b3`	`2.1-1.47.2-3+b7`
♾️	gir1.2-glib-2.0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	gir1.2-glib-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	girepository-tools	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libavcodec-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavcodec61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil59	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libc-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc-dev-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6-dev	`2.41-12`	`2.41-12+deb13u1`
♾️	libcap-dev	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcap2	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcom-err2	`1.47.2-3+b3`	`1.47.2-3+b7`
♾️	libgio-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgio-2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgirepository-2.0-0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-0t64	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-data	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgnutls-dane0t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls-openssl27t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls28-dev	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls30t64	`3.8.9-3`	`3.8.9-3+deb13u1`

		Removed vulnerabilities (1):
♾️	libmbedcrypto16	`3.6.4-2`	`3.6.5-0.1~deb13u1`
♾️	libpng-dev	`1.6.48-1`	`1.6.48-1+deb13u1`
♾️	libpng16-16t64	`1.6.48-1`	`1.6.48-1+deb13u1`

		Removed vulnerabilities (5):
♾️	libsodium23	`1.0.18-1+b2`	`1.0.18-1+deb13u1`
♾️	libswresample-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswresample5	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale8	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	linux-libc-dev	`6.12.57-1`	`6.12.63-1`
♾️	sqv	`1.3.0-3`	`1.3.0-3+b2`

Changes for packages of type golang (14 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➖	github.com/cespare/xxhash/v2	`2.3.0`
➕	github.com/cespare/xxhash/v2		`2.3.0`
➖	github.com/cpuguy83/go-md2man/v2	`2.0.7`
➕	github.com/cpuguy83/go-md2man/v2		`2.0.7`
➖	github.com/russross/blackfriday/v2	`2.1.0`
➕	github.com/russross/blackfriday/v2		`2.1.0`
➖	github.com/schollz/cli/v2	`2.2.1`
➕	github.com/schollz/cli/v2		`2.2.1`
➖	github.com/schollz/croc/v10	`UNKNOWN`
➕	github.com/schollz/croc/v10		`UNKNOWN`
➖	github.com/schollz/pake/v3	`3.1.0`
➕	github.com/schollz/pake/v3		`3.1.0`
➖	github.com/schollz/progressbar/v3	`3.18.0`
➕	github.com/schollz/progressbar/v3		`3.18.0`

github-actions · 2026-01-28T03:30:37Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-01-28T03:30:42Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:c6b6814e04239b5bb4d68a330fc5dcf016ee56768e27687c3abfc70b0a4829ce`
vulnerabilities
platform	linux/ppc64le
size	9.4 GB
packages	953

📦 Base Image debian:latest

also known as	`trixie` `trixie-20260112`
digest	`sha256:403a54b09148ddc6ca1897983c51e0e29e7891da3d7db600b5d309481e9a30f1`
vulnerabilities

stdlib 1.24.4 (golang)

pkg:golang/stdlib@1.24.4

# Dockerfile (241:241)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.031%`
EPSS Percentile	`8th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.031%`
EPSS Percentile	`8th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.9`
Fixed version	`1.24.9`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`>=1.24.0 <1.24.6`
Fixed version	`1.24.6`
EPSS Score	`0.019%`
EPSS Percentile	`4th percentile`

Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.030%`
EPSS Percentile	`8th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.020%`
EPSS Percentile	`4th percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.030%`
EPSS Percentile	`8th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.034%`
EPSS Percentile	`10th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.033%`
EPSS Percentile	`9th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (227:227)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.535%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.937%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`20.555%`
EPSS Percentile	`95th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-01-28T03:30:46Z

Recommended fixes for image (linux/ppc64le) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	latest
Digest	sha256:403a54b09148ddc6ca1897983c51e0e29e7891da3d7db600b5d309481e9a30f1
Vulnerabilities
Pushed	2 weeks ago
Size	53 MB
Packages	111

The base image is also available under the supported tag(s): trixie, trixie-20260112

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-01-28T03:31:08Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`a8226a760f7a`	`c6b6814e0423`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/10/merge/commit/4a2cc7daafb000b33b63d0cdd546cf4d8af2098d	https://github.com/JLP04/docker-elevation-generator.git#570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2/commit/570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2
- vulnerabilities
- platform	linux/ppc64le	linux/ppc64le
- size	9.4 GB	9.4 GB (+456 kB)
- packages	953	953
Base Image	`debian:latest` also known as: • `13` • `trixie`	`debian:latest` also known as: • `trixie` • `trixie-20260112`
- vulnerabilities

Packages and Vulnerabilities (55 package changes and 6 vulnerability changes)

➕ 7 packages added

➖ 7 packages removed

♾️ 41 packages changed

553 packages unchanged

✔️ 6 vulnerabilities removed

Changes for packages of type deb (41 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	base-files	`13.8+deb13u2`	`13.8+deb13u3`
♾️	bash	`5.2.37-2+b5`	`5.2.37-2+b7`
♾️	comerr-dev	`2.1-1.47.2-3+b3`	`2.1-1.47.2-3+b7`
♾️	gir1.2-glib-2.0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	gir1.2-glib-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	girepository-tools	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libavcodec-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavcodec61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil59	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libc-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc-dev-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6-dev	`2.41-12`	`2.41-12+deb13u1`
♾️	libcap-dev	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcap2	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcom-err2	`1.47.2-3+b3`	`1.47.2-3+b7`
♾️	libgio-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgio-2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgirepository-2.0-0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-0t64	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-data	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgnutls-dane0t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls-openssl27t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls28-dev	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls30t64	`3.8.9-3`	`3.8.9-3+deb13u1`

		Removed vulnerabilities (1):
♾️	libmbedcrypto16	`3.6.4-2`	`3.6.5-0.1~deb13u1`
♾️	libpng-dev	`1.6.48-1`	`1.6.48-1+deb13u1`
♾️	libpng16-16t64	`1.6.48-1`	`1.6.48-1+deb13u1`

		Removed vulnerabilities (5):
♾️	libsodium23	`1.0.18-1+b2`	`1.0.18-1+deb13u1`
♾️	libswresample-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswresample5	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale8	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	linux-libc-dev	`6.12.57-1`	`6.12.63-1`
♾️	sqv	`1.3.0-3`	`1.3.0-3+b2`

Changes for packages of type golang (14 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	github.com/cespare/xxhash/v2		`2.3.0`
➖	github.com/cespare/xxhash/v2	`2.3.0`
➖	github.com/cpuguy83/go-md2man/v2	`2.0.7`
➕	github.com/cpuguy83/go-md2man/v2		`2.0.7`
➕	github.com/russross/blackfriday/v2		`2.1.0`
➖	github.com/russross/blackfriday/v2	`2.1.0`
➕	github.com/schollz/cli/v2		`2.2.1`
➖	github.com/schollz/cli/v2	`2.2.1`
➕	github.com/schollz/croc/v10		`UNKNOWN`
➖	github.com/schollz/croc/v10	`UNKNOWN`
➖	github.com/schollz/pake/v3	`3.1.0`
➕	github.com/schollz/pake/v3		`3.1.0`
➕	github.com/schollz/progressbar/v3		`3.18.0`
➖	github.com/schollz/progressbar/v3	`3.18.0`

github-actions · 2026-01-28T03:31:28Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-01-28T03:31:33Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:fdbb85fd085149fb3cee8dbd0701a6a201eb191cab467261863b2a05844054f6`
vulnerabilities
platform	linux/riscv64
size	9.4 GB
packages	948

📦 Base Image debian:13

also known as	`13.3` `latest` `trixie` `trixie-20260112`
digest	`sha256:9d53375131aadaa5c6347973be13267697747c1e4ec26c4aadbcee35353adf65`
vulnerabilities

stdlib 1.25.4 (golang)

pkg:golang/stdlib@1.25.4

# Dockerfile (241:241)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (227:227)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.535%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.937%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`20.555%`
EPSS Percentile	`95th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-01-28T03:31:37Z

Recommended fixes for image (linux/riscv64) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.3
Digest	sha256:9d53375131aadaa5c6347973be13267697747c1e4ec26c4aadbcee35353adf65
Vulnerabilities
Pushed	2 weeks ago
Size	48 MB
Packages	109
OS	13.3

The base image is also available under the supported tag(s): 13, 13.3, trixie, trixie-20260112

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-01-28T03:32:02Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`b12091a813bb`	`fdbb85fd0851`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/10/merge/commit/4a2cc7daafb000b33b63d0cdd546cf4d8af2098d	https://github.com/JLP04/docker-elevation-generator.git#570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2/commit/570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2
- vulnerabilities
- platform	linux/riscv64	linux/riscv64
- size	9.4 GB	9.4 GB (+454 kB)
- packages	948	948
Base Image	`debian:latest` also known as: • `13` • `trixie`	`debian:latest` also known as: • `13` • `13.3` • `trixie` • `trixie-20260112`
- vulnerabilities

Packages and Vulnerabilities (55 package changes and 6 vulnerability changes)

➕ 7 packages added

➖ 7 packages removed

♾️ 41 packages changed

550 packages unchanged

✔️ 6 vulnerabilities removed

Changes for packages of type deb (41 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	base-files	`13.8+deb13u2`	`13.8+deb13u3`
♾️	bash	`5.2.37-2+b5`	`5.2.37-2+b7`
♾️	comerr-dev	`2.1-1.47.2-3+b3`	`2.1-1.47.2-3+b7`
♾️	gir1.2-glib-2.0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	gir1.2-glib-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	girepository-tools	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libavcodec-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavcodec61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil59	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libc-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc-dev-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6-dev	`2.41-12`	`2.41-12+deb13u1`
♾️	libcap-dev	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcap2	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcom-err2	`1.47.2-3+b3`	`1.47.2-3+b7`
♾️	libgio-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgio-2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgirepository-2.0-0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-0t64	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-data	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgnutls-dane0t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls-openssl27t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls28-dev	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls30t64	`3.8.9-3`	`3.8.9-3+deb13u1`

		Removed vulnerabilities (1):
♾️	libmbedcrypto16	`3.6.4-2`	`3.6.5-0.1~deb13u1`
♾️	libpng-dev	`1.6.48-1`	`1.6.48-1+deb13u1`
♾️	libpng16-16t64	`1.6.48-1`	`1.6.48-1+deb13u1`

		Removed vulnerabilities (5):
♾️	libsodium23	`1.0.18-1+b2`	`1.0.18-1+deb13u1`
♾️	libswresample-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswresample5	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale8	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	linux-libc-dev	`6.12.57-1`	`6.12.63-1`
♾️	sqv	`1.3.0-3`	`1.3.0-3+b2`

Changes for packages of type golang (14 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➖	github.com/cespare/xxhash/v2	`2.3.0`
➕	github.com/cespare/xxhash/v2		`2.3.0`
➖	github.com/cpuguy83/go-md2man/v2	`2.0.7`
➕	github.com/cpuguy83/go-md2man/v2		`2.0.7`
➖	github.com/russross/blackfriday/v2	`2.1.0`
➕	github.com/russross/blackfriday/v2		`2.1.0`
➖	github.com/schollz/cli/v2	`2.2.1`
➕	github.com/schollz/cli/v2		`2.2.1`
➕	github.com/schollz/croc/v10		`UNKNOWN`
➖	github.com/schollz/croc/v10	`UNKNOWN`
➖	github.com/schollz/pake/v3	`3.1.0`
➕	github.com/schollz/pake/v3		`3.1.0`
➕	github.com/schollz/progressbar/v3		`3.18.0`
➖	github.com/schollz/progressbar/v3	`3.18.0`

github-actions · 2026-01-28T03:32:21Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-01-28T03:32:26Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:fd1343bd137553b19aa4ed91ae1730b813a6a388b21a7c1d9849edfdbd3aaf52`
vulnerabilities
platform	linux/s390x
size	9.4 GB
packages	947

📦 Base Image debian:13

also known as	`13.3` `latest` `trixie` `trixie-20260112`
digest	`sha256:335a1732097a9ff33652319b12da0128fed87c764c16fe83754edad4f567b300`
vulnerabilities

stdlib 1.24.4 (golang)

pkg:golang/stdlib@1.24.4

# Dockerfile (241:241)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.017%`
EPSS Percentile	`3rd percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.031%`
EPSS Percentile	`8th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.031%`
EPSS Percentile	`8th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.9`
Fixed version	`1.24.9`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.24.11`
Fixed version	`1.24.11`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`>=1.24.0 <1.24.6`
Fixed version	`1.24.6`
EPSS Score	`0.019%`
EPSS Percentile	`4th percentile`

Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.030%`
EPSS Percentile	`8th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.020%`
EPSS Percentile	`4th percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.030%`
EPSS Percentile	`8th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.034%`
EPSS Percentile	`10th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.033%`
EPSS Percentile	`9th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`<1.24.8`
Fixed version	`1.24.8`
EPSS Score	`0.016%`
EPSS Percentile	`3rd percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (227:227)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.535%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.937%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`20.555%`
EPSS Percentile	`95th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-01-28T03:32:30Z

Recommended fixes for image (linux/s390x) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.3
Digest	sha256:335a1732097a9ff33652319b12da0128fed87c764c16fe83754edad4f567b300
Vulnerabilities
Pushed	2 weeks ago
Size	49 MB
Packages	111
OS	13.3

The base image is also available under the supported tag(s): 13, 13.3, trixie, trixie-20260112

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-01-28T03:32:52Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`99442ae443bd`	`fd1343bd1375`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/10/merge/commit/4a2cc7daafb000b33b63d0cdd546cf4d8af2098d	https://github.com/JLP04/docker-elevation-generator.git#570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2/commit/570648b54d6b3dbe2d0fe6caedf0f77c1b8d47f2
- vulnerabilities
- platform	linux/s390x	linux/s390x
- size	9.4 GB	9.4 GB (+460 kB)
- packages	947	947
Base Image	`debian:latest` also known as: • `13` • `trixie`	`debian:latest` also known as: • `13` • `13.3` • `trixie` • `trixie-20260112`
- vulnerabilities

Packages and Vulnerabilities (55 package changes and 6 vulnerability changes)

➕ 7 packages added

➖ 7 packages removed

♾️ 41 packages changed

547 packages unchanged

✔️ 6 vulnerabilities removed

Changes for packages of type deb (41 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	base-files	`13.8+deb13u2`	`13.8+deb13u3`
♾️	bash	`5.2.37-2+b5`	`5.2.37-2+b7`
♾️	comerr-dev	`2.1-1.47.2-3+b3`	`2.1-1.47.2-3+b7`
♾️	gir1.2-glib-2.0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	gir1.2-glib-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	girepository-tools	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libavcodec-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavcodec61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavformat61	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libavutil59	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libc-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc-dev-bin	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6	`2.41-12`	`2.41-12+deb13u1`
♾️	libc6-dev	`2.41-12`	`2.41-12+deb13u1`
♾️	libcap-dev	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcap2	`1:2.75-10+b1`	`1:2.75-10+b3`
♾️	libcom-err2	`1.47.2-3+b3`	`1.47.2-3+b7`
♾️	libgio-2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgio-2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgirepository-2.0-0	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-0t64	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-data	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libglib2.0-dev-bin	`2.84.4-3~deb13u1`	`2.84.4-3~deb13u2`
♾️	libgnutls-dane0t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls-openssl27t64	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls28-dev	`3.8.9-3`	`3.8.9-3+deb13u1`
♾️	libgnutls30t64	`3.8.9-3`	`3.8.9-3+deb13u1`

		Removed vulnerabilities (1):
♾️	libmbedcrypto16	`3.6.4-2`	`3.6.5-0.1~deb13u1`
♾️	libpng-dev	`1.6.48-1`	`1.6.48-1+deb13u1`
♾️	libpng16-16t64	`1.6.48-1`	`1.6.48-1+deb13u1`

		Removed vulnerabilities (5):
♾️	libsodium23	`1.0.18-1+b2`	`1.0.18-1+deb13u1`
♾️	libswresample-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswresample5	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale-dev	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	libswscale8	`7:7.1.2-0+deb13u1`	`7:7.1.3-0+deb13u1`
♾️	linux-libc-dev	`6.12.57-1`	`6.12.63-1`
♾️	sqv	`1.3.0-3`	`1.3.0-3+b2`

Changes for packages of type golang (14 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➖	github.com/cespare/xxhash/v2	`2.3.0`
➕	github.com/cespare/xxhash/v2		`2.3.0`
➖	github.com/cpuguy83/go-md2man/v2	`2.0.7`
➕	github.com/cpuguy83/go-md2man/v2		`2.0.7`
➖	github.com/russross/blackfriday/v2	`2.1.0`
➕	github.com/russross/blackfriday/v2		`2.1.0`
➖	github.com/schollz/cli/v2	`2.2.1`
➕	github.com/schollz/cli/v2		`2.2.1`
➕	github.com/schollz/croc/v10		`UNKNOWN`
➖	github.com/schollz/croc/v10	`UNKNOWN`
➕	github.com/schollz/pake/v3		`3.1.0`
➖	github.com/schollz/pake/v3	`3.1.0`
➖	github.com/schollz/progressbar/v3	`3.18.0`
➕	github.com/schollz/progressbar/v3		`3.18.0`

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Dec 15, 2025

JLP04 approved these changes Jan 27, 2026

View reviewed changes

JLP04 added the run-ci-pr This triggers the ci-pr workflow to be run on a given pull request label Jan 27, 2026

Bump actions/upload-artifact from 5 to 6 #11

Are you sure you want to change the base?

Bump actions/upload-artifact from 5 to 6 #11

Uh oh!

Conversation

dependabot bot commented on behalf of github Dec 15, 2025

v6.0.0

v6 - What's new

Node.js 24

What's Changed

Uh oh!

JLP04 left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Jan 28, 2026

Uh oh!

github-actions bot commented Jan 28, 2026

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

References

For more information

Recommendation

Uh oh!

github-actions bot commented Jan 28, 2026

Recommended fixes for image (linux/386) ghcr.io/jlp04/elevation-generator:test

Refresh base image

Change base image

Uh oh!

github-actions bot commented Jan 28, 2026

Overview

Uh oh!

github-actions bot commented Jan 28, 2026

Uh oh!

github-actions bot commented Jan 28, 2026

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

References

For more information

Recommendation

Uh oh!

github-actions bot commented Jan 28, 2026

Recommended fixes for image (linux/amd64) ghcr.io/jlp04/elevation-generator:test

Refresh base image

Change base image

Uh oh!

github-actions bot commented Jan 28, 2026

Overview

Uh oh!

github-actions bot commented Jan 28, 2026

Uh oh!

github-actions bot commented Jan 28, 2026

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/386) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/amd64) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/arm/v5) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/arm/v7) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`