Try Using Git Repos Again When Adding from GitLab by JLP04 · Pull Request #22 · JLP04/docker-elevation-generator

JLP04 · 2026-05-23T16:45:56Z

Try using the actual git repos from GitLab again now that a fix has been implemented upstream.

github-actions · 2026-06-04T01:06:30Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-06-04T01:06:36Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:be5343bb71f8d4d91105d1c4eed21cdf868ebccbdb8cecb4408b175dd4130cd3`
vulnerabilities
platform	linux/386
size	9.5 GB
packages	959

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:804a514efd1d29653f3994230b23af636427967819f18d34ac02301e1ebb3944`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.055%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.088%`
EPSS Percentile	`25th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.030%`
EPSS Percentile	`9th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.184%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`27.509%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`7.763%`
EPSS Percentile	`92nd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

github-actions · 2026-06-04T01:06:39Z

Recommended fixes for image (linux/386) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.5
Digest	sha256:804a514efd1d29653f3994230b23af636427967819f18d34ac02301e1ebb3944
Vulnerabilities
Pushed	2 weeks ago
Size	51 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260518

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-04T01:07:14Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`6b40ffce86bf`	`be5343bb71f8`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/21/merge/commit/b7d5aadf699a851a21039e8fabe8e946fe1adedc	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d
- vulnerabilities
- platform	linux/386	linux/386
- size	9.5 GB	9.5 GB (+72 kB)
- packages	958	959 (+1)
Base Image	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`
- vulnerabilities

Packages and Vulnerabilities (13 package changes and 2 vulnerability changes)

➕ 1 packages added

♾️ 12 packages changed

591 packages unchanged

✔️ 2 vulnerabilities removed

Changes for packages of type deb (12 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	krb5-multidev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssapi-krb5-2	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssrpc4t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libk5crypto3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5clnt-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5srv-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkdb5-10t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-dev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5support0	`1.21.3-5`	`1.21.3-5+deb13u1`

		Removed vulnerabilities (2):
♾️	libunbound8	`1.22.0-2+deb13u2`	`1.22.0-2+deb13u3`
♾️	linux-libc-dev	`6.12.88-1`	`6.12.90-2`

Changes for packages of type maven (1 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	fgfsclient/fgfsclient		`UNKNOWN`

github-actions · 2026-06-04T01:07:39Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-06-04T01:07:44Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:d9d66e0c5a2ab84cbf170c89540aff97bf0fe5d7d1add8cbde856dae466e926d`
vulnerabilities
platform	linux/amd64
size	9.4 GB
packages	963

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:2477d9ee0ead4370c778ce3aa42258a0b07684d1a84ded8f4af518383fbc3f2d`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.055%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.088%`
EPSS Percentile	`25th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.030%`
EPSS Percentile	`9th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.184%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`27.509%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`7.763%`
EPSS Percentile	`92nd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

github-actions · 2026-06-04T01:07:48Z

Recommended fixes for image (linux/amd64) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.5
Digest	sha256:2477d9ee0ead4370c778ce3aa42258a0b07684d1a84ded8f4af518383fbc3f2d
Vulnerabilities
Pushed	2 weeks ago
Size	49 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260518

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-04T01:08:23Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`102b5add9499`	`d9d66e0c5a2a`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/21/merge/commit/b7d5aadf699a851a21039e8fabe8e946fe1adedc	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	9.4 GB	9.4 GB (+70 kB)
- packages	962	963 (+1)
Base Image	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`
- vulnerabilities

Packages and Vulnerabilities (13 package changes and 2 vulnerability changes)

➕ 1 packages added

♾️ 12 packages changed

595 packages unchanged

✔️ 2 vulnerabilities removed

Changes for packages of type deb (12 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	krb5-multidev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssapi-krb5-2	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssrpc4t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libk5crypto3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5clnt-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5srv-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkdb5-10t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-dev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5support0	`1.21.3-5`	`1.21.3-5+deb13u1`

		Removed vulnerabilities (2):
♾️	libunbound8	`1.22.0-2+deb13u2`	`1.22.0-2+deb13u3`
♾️	linux-libc-dev	`6.12.88-1`	`6.12.90-2`

Changes for packages of type maven (1 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	fgfsclient/fgfsclient		`UNKNOWN`

github-actions · 2026-06-04T01:08:46Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-06-04T01:08:51Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:3c7394cf0ad646906d6f67cb72971a241e53eb2864c00d6d58809ede6a8ecdb5`
vulnerabilities
platform	linux/arm/v5
size	9.4 GB
packages	947

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:87830995eed0e62e9d1aa5360345611d29b343ce532bfce499d9342f33d41076`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.055%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.088%`
EPSS Percentile	`25th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.030%`
EPSS Percentile	`9th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.184%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`27.509%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`7.763%`
EPSS Percentile	`92nd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

github-actions · 2026-06-04T01:08:55Z

Recommended fixes for image (linux/arm/v5) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.5
Digest	sha256:87830995eed0e62e9d1aa5360345611d29b343ce532bfce499d9342f33d41076
Vulnerabilities
Pushed	2 weeks ago
Size	48 MB
Packages	112
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260518

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-04T01:09:28Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`9d093797ad68`	`3c7394cf0ad6`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/21/merge/commit/b7d5aadf699a851a21039e8fabe8e946fe1adedc	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d
- vulnerabilities
- platform	linux/arm	linux/arm
- size	9.4 GB	9.4 GB (+62 kB)
- packages	946	947 (+1)
Base Image	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`
- vulnerabilities

Packages and Vulnerabilities (13 package changes and 2 vulnerability changes)

➕ 1 packages added

♾️ 12 packages changed

587 packages unchanged

✔️ 2 vulnerabilities removed

Changes for packages of type deb (12 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	krb5-multidev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssapi-krb5-2	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssrpc4t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libk5crypto3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5clnt-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5srv-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkdb5-10t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-dev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5support0	`1.21.3-5`	`1.21.3-5+deb13u1`

		Removed vulnerabilities (2):
♾️	libunbound8	`1.22.0-2+deb13u2`	`1.22.0-2+deb13u3`
♾️	linux-libc-dev	`6.12.88-1`	`6.12.90-2`

Changes for packages of type maven (1 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	fgfsclient/fgfsclient		`UNKNOWN`

github-actions · 2026-06-04T01:09:50Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-06-04T01:09:56Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:1de2cb5e4c2fc2da012d0826c7bbe4204d4147a3570207762e577b3e915ba909`
vulnerabilities
platform	linux/arm/v7
size	9.4 GB
packages	946

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:dc071dceb8d8c47d9496e56aa149fb8d13cd73af3bde779df7dbaece27eec510`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.055%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.088%`
EPSS Percentile	`25th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.030%`
EPSS Percentile	`9th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.184%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`27.509%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`7.763%`
EPSS Percentile	`92nd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

github-actions · 2026-06-04T01:10:00Z

Recommended fixes for image (linux/arm/v7) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.5
Digest	sha256:dc071dceb8d8c47d9496e56aa149fb8d13cd73af3bde779df7dbaece27eec510
Vulnerabilities
Pushed	2 weeks ago
Size	46 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260518

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-04T01:10:35Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`5f2ab86e160c`	`1de2cb5e4c2f`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/21/merge/commit/b7d5aadf699a851a21039e8fabe8e946fe1adedc	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d
- vulnerabilities
- platform	linux/arm	linux/arm
- size	9.4 GB	9.4 GB (+44 kB)
- packages	945	946 (+1)
Base Image	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`
- vulnerabilities

Packages and Vulnerabilities (13 package changes and 2 vulnerability changes)

➕ 1 packages added

♾️ 12 packages changed

587 packages unchanged

✔️ 2 vulnerabilities removed

Changes for packages of type deb (12 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	krb5-multidev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssapi-krb5-2	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssrpc4t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libk5crypto3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5clnt-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5srv-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkdb5-10t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-dev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5support0	`1.21.3-5`	`1.21.3-5+deb13u1`

		Removed vulnerabilities (2):
♾️	libunbound8	`1.22.0-2+deb13u2`	`1.22.0-2+deb13u3`
♾️	linux-libc-dev	`6.12.88-1`	`6.12.90-2`

Changes for packages of type maven (1 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	fgfsclient/fgfsclient		`UNKNOWN`

github-actions · 2026-06-04T01:10:58Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-06-04T01:11:03Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:243f8039039ac318833b82d75ede28549e265eb75a7e64d964641c447609a170`
vulnerabilities
platform	linux/arm64
size	9.4 GB
packages	960

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:b1e30180b5678df3c17d6b0e659f7107ae4c299506e97427a9373640804db927`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.055%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.088%`
EPSS Percentile	`25th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.030%`
EPSS Percentile	`9th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.184%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`27.509%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`7.763%`
EPSS Percentile	`92nd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

github-actions · 2026-06-04T01:11:06Z

Recommended fixes for image (linux/arm64) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.5
Digest	sha256:b1e30180b5678df3c17d6b0e659f7107ae4c299506e97427a9373640804db927
Vulnerabilities
Pushed	2 weeks ago
Size	50 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260518

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-04T01:11:39Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`6489ec15f4d0`	`243f8039039a`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/21/merge/commit/b7d5aadf699a851a21039e8fabe8e946fe1adedc	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	9.4 GB	9.4 GB (+55 kB)
- packages	959	960 (+1)
Base Image	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`
- vulnerabilities

Packages and Vulnerabilities (13 package changes and 2 vulnerability changes)

➕ 1 packages added

♾️ 12 packages changed

593 packages unchanged

✔️ 2 vulnerabilities removed

Changes for packages of type deb (12 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	krb5-multidev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssapi-krb5-2	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssrpc4t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libk5crypto3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5clnt-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5srv-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkdb5-10t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-dev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5support0	`1.21.3-5`	`1.21.3-5+deb13u1`

		Removed vulnerabilities (2):
♾️	libunbound8	`1.22.0-2+deb13u2`	`1.22.0-2+deb13u3`
♾️	linux-libc-dev	`6.12.88-1`	`6.12.90-2`

Changes for packages of type maven (1 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	fgfsclient/fgfsclient		`UNKNOWN`

github-actions · 2026-06-04T01:12:02Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-06-04T01:12:07Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:c9b1476e7b10306274595b7448325b893f6177ac0c147e1a130f526ac73dee30`
vulnerabilities
platform	linux/ppc64le
size	9.4 GB
packages	956

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:df3512fd9c128f0344a2e4db3b42c66d71ecb62295c24463f4ae851350efd14e`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.055%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.088%`
EPSS Percentile	`25th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.030%`
EPSS Percentile	`9th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

stdlib 1.25.0 (golang)

pkg:golang/stdlib@1.25.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0-0 <1.25.7`
Fixed version	`1.25.7`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.022%`
EPSS Percentile	`6th percentile`

Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.020%`
EPSS Percentile	`6th percentile`

Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.022%`
EPSS Percentile	`6th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.044%`
EPSS Percentile	`14th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.045%`
EPSS Percentile	`14th percentile`

Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.046%`
EPSS Percentile	`15th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.044%`
EPSS Percentile	`14th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.3`
Fixed version	`1.25.3`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.043%`
EPSS Percentile	`13th percentile`

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`>=1.25.0 <1.25.1`
Fixed version	`1.25.1`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.024%`
EPSS Percentile	`7th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.043%`
EPSS Percentile	`13th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.036%`
EPSS Percentile	`11th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.026%`
EPSS Percentile	`8th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.007%`
EPSS Percentile	`1st percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.184%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`27.509%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`7.763%`
EPSS Percentile	`92nd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-04T01:12:11Z

Recommended fixes for image (linux/ppc64le) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.5
Digest	sha256:df3512fd9c128f0344a2e4db3b42c66d71ecb62295c24463f4ae851350efd14e
Vulnerabilities
Pushed	2 weeks ago
Size	53 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260518

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-04T01:12:44Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`1ca98322d03f`	`c9b1476e7b10`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/21/merge/commit/b7d5aadf699a851a21039e8fabe8e946fe1adedc	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d
- vulnerabilities
- platform	linux/ppc64le	linux/ppc64le
- size	9.4 GB	9.4 GB (+53 kB)
- packages	955	956 (+1)
Base Image	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`
- vulnerabilities

Packages and Vulnerabilities (13 package changes and 2 vulnerability changes)

➕ 1 packages added

♾️ 12 packages changed

590 packages unchanged

✔️ 2 vulnerabilities removed

Changes for packages of type deb (12 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	krb5-multidev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssapi-krb5-2	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssrpc4t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libk5crypto3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5clnt-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5srv-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkdb5-10t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-dev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5support0	`1.21.3-5`	`1.21.3-5+deb13u1`

		Removed vulnerabilities (2):
♾️	libunbound8	`1.22.0-2+deb13u2`	`1.22.0-2+deb13u3`
♾️	linux-libc-dev	`6.12.88-1`	`6.12.90-2`

Changes for packages of type maven (1 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	fgfsclient/fgfsclient		`UNKNOWN`

github-actions · 2026-06-04T01:13:07Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-06-04T01:13:13Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:02428dba9f2b2a9dff5842c4d65e479666d609e3499dca35c517646c0889c60b`
vulnerabilities
platform	linux/riscv64
size	9.4 GB
packages	951

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:4f52ee6eaf425fa42ddfd7b871040a2bfd5411ce07801b6342ae57ba40c8cf5c`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.055%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.088%`
EPSS Percentile	`25th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.030%`
EPSS Percentile	`9th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.184%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`27.509%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`7.763%`
EPSS Percentile	`92nd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

github-actions · 2026-06-04T01:13:17Z

Recommended fixes for image (linux/riscv64) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.5
Digest	sha256:4f52ee6eaf425fa42ddfd7b871040a2bfd5411ce07801b6342ae57ba40c8cf5c
Vulnerabilities
Pushed	2 weeks ago
Size	48 MB
Packages	109
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260518

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-04T01:13:51Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`732bcafda2c1`	`02428dba9f2b`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/21/merge/commit/b7d5aadf699a851a21039e8fabe8e946fe1adedc	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d
- vulnerabilities
- platform	linux/riscv64	linux/riscv64
- size	9.4 GB	9.4 GB (+63 kB)
- packages	950	951 (+1)
Base Image	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`
- vulnerabilities

Packages and Vulnerabilities (13 package changes and 2 vulnerability changes)

➕ 1 packages added

♾️ 12 packages changed

587 packages unchanged

✔️ 2 vulnerabilities removed

Changes for packages of type deb (12 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	krb5-multidev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssapi-krb5-2	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssrpc4t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libk5crypto3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5clnt-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5srv-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkdb5-10t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-dev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5support0	`1.21.3-5`	`1.21.3-5+deb13u1`

		Removed vulnerabilities (2):
♾️	libunbound8	`1.22.0-2+deb13u2`	`1.22.0-2+deb13u3`
♾️	linux-libc-dev	`6.12.88-1`	`6.12.90-2`

Changes for packages of type maven (1 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	fgfsclient/fgfsclient		`UNKNOWN`

github-actions · 2026-06-04T01:14:15Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-06-04T01:14:21Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:f40b7a0903543e0653ef16322dfac145e19ecc03cb0526a348b0e9fb9cc9c6a3`
vulnerabilities
platform	linux/s390x
size	9.4 GB
packages	950

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:7c6b2cfbda75aa8ebddd4634addba1286dc3e7a41ed604041c3eae2de5746c9f`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`16th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.055%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.088%`
EPSS Percentile	`25th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.030%`
EPSS Percentile	`9th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

stdlib 1.25.0 (golang)

pkg:golang/stdlib@1.25.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0-0 <1.25.7`
Fixed version	`1.25.7`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.022%`
EPSS Percentile	`6th percentile`

Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.020%`
EPSS Percentile	`6th percentile`

Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.022%`
EPSS Percentile	`6th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.044%`
EPSS Percentile	`14th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.045%`
EPSS Percentile	`14th percentile`

Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.046%`
EPSS Percentile	`15th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.044%`
EPSS Percentile	`14th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.3`
Fixed version	`1.25.3`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.043%`
EPSS Percentile	`13th percentile`

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`>=1.25.0 <1.25.1`
Fixed version	`1.25.1`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.024%`
EPSS Percentile	`7th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.043%`
EPSS Percentile	`13th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.036%`
EPSS Percentile	`11th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.026%`
EPSS Percentile	`8th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.007%`
EPSS Percentile	`1st percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.184%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`27.509%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`7.763%`
EPSS Percentile	`92nd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-04T01:14:25Z

Recommended fixes for image (linux/s390x) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.5
Digest	sha256:7c6b2cfbda75aa8ebddd4634addba1286dc3e7a41ed604041c3eae2de5746c9f
Vulnerabilities
Pushed	2 weeks ago
Size	49 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260518

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-04T01:14:55Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`5cf4b50cf8b1`	`f40b7a090354`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/21/merge/commit/b7d5aadf699a851a21039e8fabe8e946fe1adedc	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d
- vulnerabilities
- platform	linux/s390x	linux/s390x
- size	9.4 GB	9.4 GB (+71 kB)
- packages	949	950 (+1)
Base Image	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`	`debian:latest` also known as: • `13` • `13.5` • `trixie` • `trixie-20260518`
- vulnerabilities

Packages and Vulnerabilities (13 package changes and 2 vulnerability changes)

➕ 1 packages added

♾️ 12 packages changed

584 packages unchanged

✔️ 2 vulnerabilities removed

Changes for packages of type deb (12 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	krb5-multidev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssapi-krb5-2	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libgssrpc4t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libk5crypto3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5clnt-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkadm5srv-mit12	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkdb5-10t64	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-3	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5-dev	`1.21.3-5`	`1.21.3-5+deb13u1`
♾️	libkrb5support0	`1.21.3-5`	`1.21.3-5+deb13u1`

		Removed vulnerabilities (2):
♾️	libunbound8	`1.22.0-2+deb13u2`	`1.22.0-2+deb13u3`
♾️	linux-libc-dev	`6.12.88-1`	`6.12.90-2`

Changes for packages of type maven (1 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
➕	fgfsclient/fgfsclient		`UNKNOWN`

github-actions · 2026-06-15T13:35:04Z


Your image	`jlp04/elevation-generator:latest`
Current base image	`debian:latest`

github-actions · 2026-06-15T13:35:09Z

🔍 Vulnerabilities of `jlp04/elevation-generator:latest`

📦 Image Reference jlp04/elevation-generator:latest

digest	`sha256:be5343bb71f8d4d91105d1c4eed21cdf868ebccbdb8cecb4408b175dd4130cd3`
vulnerabilities
platform	linux/386
size	9.5 GB
packages	959

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:804a514efd1d29653f3994230b23af636427967819f18d34ac02301e1ebb3944`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`17th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.035%`
EPSS Percentile	`11th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.055%`
EPSS Percentile	`18th percentile`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.011%`
EPSS Percentile	`2nd percentile`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

libinput10 1.28.1-1 (deb)

pkg:deb/debian/libinput10@1.28.1-1?arch=i386&distro=debian-13&upstream=libinput

# Dockerfile (264:264)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Affected range	`<1.28.1-1+deb13u1`
Fixed version	`1.28.1-1+deb13u1`
EPSS Score	`0.071%`
EPSS Percentile	`22nd percentile`

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

libinput 1.31.3-1
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 (main)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/d438100aa14c7899e3f574eaa396e8c5831ff5e6 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/f5ac1e51fffffdc19aace7708175c10840a8b801 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc (1.30.4)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b (1.30.4)
https://www.openwall.com/lists/oss-security/2026/06/04/5

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.104%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`3.097%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.267%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`5.871%`
EPSS Percentile	`91st percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-15T13:35:14Z

Recommended fixes for image (linux/386) `jlp04/elevation-generator:latest`

Base image is debian:latest

Name	13.5
Digest	sha256:804a514efd1d29653f3994230b23af636427967819f18d34ac02301e1ebb3944
Vulnerabilities
Pushed	4 weeks ago
Size	51 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-15T13:35:43Z


Your image	`jlp04/elevation-generator:latest`
Current base image	`debian:latest`

github-actions · 2026-06-15T13:35:48Z

🔍 Vulnerabilities of `jlp04/elevation-generator:latest`

📦 Image Reference jlp04/elevation-generator:latest

digest	`sha256:d9d66e0c5a2ab84cbf170c89540aff97bf0fe5d7d1add8cbde856dae466e926d`
vulnerabilities
platform	linux/amd64
size	9.4 GB
packages	963

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:2477d9ee0ead4370c778ce3aa42258a0b07684d1a84ded8f4af518383fbc3f2d`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`17th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.035%`
EPSS Percentile	`11th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.055%`
EPSS Percentile	`18th percentile`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.011%`
EPSS Percentile	`2nd percentile`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

libinput10 1.28.1-1 (deb)

pkg:deb/debian/libinput10@1.28.1-1?arch=amd64&distro=debian-13&upstream=libinput

# Dockerfile (264:264)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Affected range	`<1.28.1-1+deb13u1`
Fixed version	`1.28.1-1+deb13u1`
EPSS Score	`0.071%`
EPSS Percentile	`22nd percentile`

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

libinput 1.31.3-1
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 (main)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/d438100aa14c7899e3f574eaa396e8c5831ff5e6 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/f5ac1e51fffffdc19aace7708175c10840a8b801 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc (1.30.4)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b (1.30.4)
https://www.openwall.com/lists/oss-security/2026/06/04/5

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.104%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`3.097%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.267%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`5.871%`
EPSS Percentile	`91st percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-15T13:35:52Z

Recommended fixes for image (linux/amd64) `jlp04/elevation-generator:latest`

Base image is debian:latest

Name	13.5
Digest	sha256:2477d9ee0ead4370c778ce3aa42258a0b07684d1a84ded8f4af518383fbc3f2d
Vulnerabilities
Pushed	4 weeks ago
Size	49 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-15T13:36:21Z


Your image	`jlp04/elevation-generator:latest`
Current base image	`debian:latest`

github-actions · 2026-06-15T13:36:26Z

🔍 Vulnerabilities of `jlp04/elevation-generator:latest`

📦 Image Reference jlp04/elevation-generator:latest

digest	`sha256:3c7394cf0ad646906d6f67cb72971a241e53eb2864c00d6d58809ede6a8ecdb5`
vulnerabilities
platform	linux/arm/v5
size	9.4 GB
packages	947

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:87830995eed0e62e9d1aa5360345611d29b343ce532bfce499d9342f33d41076`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`17th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.035%`
EPSS Percentile	`11th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.055%`
EPSS Percentile	`18th percentile`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.011%`
EPSS Percentile	`2nd percentile`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

libinput10 1.28.1-1 (deb)

pkg:deb/debian/libinput10@1.28.1-1?arch=armel&distro=debian-13&upstream=libinput

# Dockerfile (264:264)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Affected range	`<1.28.1-1+deb13u1`
Fixed version	`1.28.1-1+deb13u1`
EPSS Score	`0.071%`
EPSS Percentile	`22nd percentile`

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

libinput 1.31.3-1
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 (main)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/d438100aa14c7899e3f574eaa396e8c5831ff5e6 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/f5ac1e51fffffdc19aace7708175c10840a8b801 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc (1.30.4)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b (1.30.4)
https://www.openwall.com/lists/oss-security/2026/06/04/5

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.104%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`3.097%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.267%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`5.871%`
EPSS Percentile	`91st percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-15T13:36:30Z

Recommended fixes for image (linux/arm/v5) `jlp04/elevation-generator:latest`

Base image is debian:latest

Name	13.5
Digest	sha256:87830995eed0e62e9d1aa5360345611d29b343ce532bfce499d9342f33d41076
Vulnerabilities
Pushed	4 weeks ago
Size	48 MB
Packages	112
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-15T13:36:57Z


Your image	`jlp04/elevation-generator:latest`
Current base image	`debian:latest`

github-actions · 2026-06-15T13:37:03Z

🔍 Vulnerabilities of `jlp04/elevation-generator:latest`

📦 Image Reference jlp04/elevation-generator:latest

digest	`sha256:1de2cb5e4c2fc2da012d0826c7bbe4204d4147a3570207762e577b3e915ba909`
vulnerabilities
platform	linux/arm/v7
size	9.4 GB
packages	946

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:dc071dceb8d8c47d9496e56aa149fb8d13cd73af3bde779df7dbaece27eec510`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`17th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.035%`
EPSS Percentile	`11th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.055%`
EPSS Percentile	`18th percentile`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.011%`
EPSS Percentile	`2nd percentile`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

libinput10 1.28.1-1 (deb)

pkg:deb/debian/libinput10@1.28.1-1?arch=armhf&distro=debian-13&upstream=libinput

# Dockerfile (264:264)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Affected range	`<1.28.1-1+deb13u1`
Fixed version	`1.28.1-1+deb13u1`
EPSS Score	`0.071%`
EPSS Percentile	`22nd percentile`

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

libinput 1.31.3-1
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 (main)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/d438100aa14c7899e3f574eaa396e8c5831ff5e6 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/f5ac1e51fffffdc19aace7708175c10840a8b801 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc (1.30.4)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b (1.30.4)
https://www.openwall.com/lists/oss-security/2026/06/04/5

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.104%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`3.097%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.267%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`5.871%`
EPSS Percentile	`91st percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-15T13:37:07Z

Recommended fixes for image (linux/arm/v7) `jlp04/elevation-generator:latest`

Base image is debian:latest

Name	13.5
Digest	sha256:dc071dceb8d8c47d9496e56aa149fb8d13cd73af3bde779df7dbaece27eec510
Vulnerabilities
Pushed	4 weeks ago
Size	46 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-15T13:37:34Z


Your image	`jlp04/elevation-generator:latest`
Current base image	`debian:latest`

github-actions · 2026-06-15T13:37:40Z

🔍 Vulnerabilities of `jlp04/elevation-generator:latest`

📦 Image Reference jlp04/elevation-generator:latest

digest	`sha256:243f8039039ac318833b82d75ede28549e265eb75a7e64d964641c447609a170`
vulnerabilities
platform	linux/arm64
size	9.4 GB
packages	960

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:b1e30180b5678df3c17d6b0e659f7107ae4c299506e97427a9373640804db927`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`17th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.035%`
EPSS Percentile	`11th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.055%`
EPSS Percentile	`18th percentile`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.011%`
EPSS Percentile	`2nd percentile`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

libinput10 1.28.1-1 (deb)

pkg:deb/debian/libinput10@1.28.1-1?arch=arm64&distro=debian-13&upstream=libinput

# Dockerfile (264:264)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Affected range	`<1.28.1-1+deb13u1`
Fixed version	`1.28.1-1+deb13u1`
EPSS Score	`0.071%`
EPSS Percentile	`22nd percentile`

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

libinput 1.31.3-1
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 (main)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/d438100aa14c7899e3f574eaa396e8c5831ff5e6 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/f5ac1e51fffffdc19aace7708175c10840a8b801 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc (1.30.4)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b (1.30.4)
https://www.openwall.com/lists/oss-security/2026/06/04/5

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.104%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`3.097%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.267%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`5.871%`
EPSS Percentile	`91st percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-15T13:37:44Z

Recommended fixes for image (linux/arm64) `jlp04/elevation-generator:latest`

Base image is debian:latest

Name	13.5
Digest	sha256:b1e30180b5678df3c17d6b0e659f7107ae4c299506e97427a9373640804db927
Vulnerabilities
Pushed	4 weeks ago
Size	50 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-15T13:38:11Z


Your image	`jlp04/elevation-generator:latest`
Current base image	`debian:latest`

github-actions · 2026-06-15T13:38:17Z

🔍 Vulnerabilities of `jlp04/elevation-generator:latest`

📦 Image Reference jlp04/elevation-generator:latest

digest	`sha256:c9b1476e7b10306274595b7448325b893f6177ac0c147e1a130f526ac73dee30`
vulnerabilities
platform	linux/ppc64le
size	9.4 GB
packages	956

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:df3512fd9c128f0344a2e4db3b42c66d71ecb62295c24463f4ae851350efd14e`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`17th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.035%`
EPSS Percentile	`11th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

stdlib 1.25.0 (golang)

pkg:golang/stdlib@1.25.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0-0 <1.25.7`
Fixed version	`1.25.7`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.055%`
EPSS Percentile	`18th percentile`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.024%`
EPSS Percentile	`7th percentile`

Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.058%`
EPSS Percentile	`19th percentile`

Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.020%`
EPSS Percentile	`6th percentile`

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.022%`
EPSS Percentile	`6th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.044%`
EPSS Percentile	`14th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.025%`
EPSS Percentile	`7th percentile`

Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.044%`
EPSS Percentile	`14th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.3`
Fixed version	`1.25.3`
EPSS Score	`0.020%`
EPSS Percentile	`6th percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.011%`
EPSS Percentile	`2nd percentile`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.014%`
EPSS Percentile	`3rd percentile`

Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`>=1.25.0 <1.25.1`
Fixed version	`1.25.1`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.006%`
EPSS Percentile	`0th percentile`

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.041%`
EPSS Percentile	`13th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.024%`
EPSS Percentile	`7th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.007%`
EPSS Percentile	`1st percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

libinput10 1.28.1-1 (deb)

pkg:deb/debian/libinput10@1.28.1-1?arch=ppc64el&distro=debian-13&upstream=libinput

# Dockerfile (264:264)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Affected range	`<1.28.1-1+deb13u1`
Fixed version	`1.28.1-1+deb13u1`
EPSS Score	`0.071%`
EPSS Percentile	`22nd percentile`

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

libinput 1.31.3-1
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 (main)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/d438100aa14c7899e3f574eaa396e8c5831ff5e6 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/f5ac1e51fffffdc19aace7708175c10840a8b801 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc (1.30.4)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b (1.30.4)
https://www.openwall.com/lists/oss-security/2026/06/04/5

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.104%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`3.097%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.267%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`5.871%`
EPSS Percentile	`91st percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-15T13:38:22Z

Recommended fixes for image (linux/ppc64le) `jlp04/elevation-generator:latest`

Base image is debian:latest

Name	13.5
Digest	sha256:df3512fd9c128f0344a2e4db3b42c66d71ecb62295c24463f4ae851350efd14e
Vulnerabilities
Pushed	4 weeks ago
Size	53 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-15T13:38:55Z


Your image	`jlp04/elevation-generator:latest`
Current base image	`debian:latest`

github-actions · 2026-06-15T13:39:01Z

🔍 Vulnerabilities of `jlp04/elevation-generator:latest`

📦 Image Reference jlp04/elevation-generator:latest

digest	`sha256:02428dba9f2b2a9dff5842c4d65e479666d609e3499dca35c517646c0889c60b`
vulnerabilities
platform	linux/riscv64
size	9.4 GB
packages	951

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:4f52ee6eaf425fa42ddfd7b871040a2bfd5411ce07801b6342ae57ba40c8cf5c`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`17th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.035%`
EPSS Percentile	`11th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.055%`
EPSS Percentile	`18th percentile`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.011%`
EPSS Percentile	`2nd percentile`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

libinput10 1.28.1-1 (deb)

pkg:deb/debian/libinput10@1.28.1-1?arch=riscv64&distro=debian-13&upstream=libinput

# Dockerfile (264:264)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Affected range	`<1.28.1-1+deb13u1`
Fixed version	`1.28.1-1+deb13u1`
EPSS Score	`0.071%`
EPSS Percentile	`22nd percentile`

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

libinput 1.31.3-1
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 (main)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/d438100aa14c7899e3f574eaa396e8c5831ff5e6 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/f5ac1e51fffffdc19aace7708175c10840a8b801 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc (1.30.4)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b (1.30.4)
https://www.openwall.com/lists/oss-security/2026/06/04/5

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.104%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`3.097%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.267%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`5.871%`
EPSS Percentile	`91st percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-15T13:39:05Z

Recommended fixes for image (linux/riscv64) `jlp04/elevation-generator:latest`

Base image is debian:latest

Name	13.5
Digest	sha256:4f52ee6eaf425fa42ddfd7b871040a2bfd5411ce07801b6342ae57ba40c8cf5c
Vulnerabilities
Pushed	4 weeks ago
Size	48 MB
Packages	109
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-06-15T13:39:38Z


Your image	`jlp04/elevation-generator:latest`
Current base image	`debian:latest`

github-actions · 2026-06-15T13:39:43Z

🔍 Vulnerabilities of `jlp04/elevation-generator:latest`

📦 Image Reference jlp04/elevation-generator:latest

digest	`sha256:f40b7a0903543e0653ef16322dfac145e19ecc03cb0526a348b0e9fb9cc9c6a3`
vulnerabilities
platform	linux/s390x
size	9.4 GB
packages	950

📦 Base Image debian:13

also known as	`13.5` `latest` `trixie` `trixie-20260518`
digest	`sha256:7c6b2cfbda75aa8ebddd4634addba1286dc3e7a41ed604041c3eae2de5746c9f`
vulnerabilities

golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.052%`
EPSS Percentile	`17th percentile`

Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.068%`
EPSS Percentile	`21st percentile`

Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.054%`
EPSS Percentile	`17th percentile`

Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.035%`
EPSS Percentile	`11th percentile`

Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

Affected range	`<0.52.0`
Fixed version	`0.52.0`
EPSS Score	`0.029%`
EPSS Percentile	`9th percentile`

Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

stdlib 1.25.0 (golang)

pkg:golang/stdlib@1.25.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0-0 <1.25.7`
Fixed version	`1.25.7`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.055%`
EPSS Percentile	`18th percentile`

Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.024%`
EPSS Percentile	`7th percentile`

Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.058%`
EPSS Percentile	`19th percentile`

Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.020%`
EPSS Percentile	`6th percentile`

Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.022%`
EPSS Percentile	`6th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.044%`
EPSS Percentile	`14th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.025%`
EPSS Percentile	`7th percentile`

Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.044%`
EPSS Percentile	`14th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.042%`
EPSS Percentile	`13th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.3`
Fixed version	`1.25.3`
EPSS Score	`0.020%`
EPSS Percentile	`6th percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.011%`
EPSS Percentile	`2nd percentile`

Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.014%`
EPSS Percentile	`3rd percentile`

Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`>=1.25.0 <1.25.1`
Fixed version	`1.25.1`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Affected range	`<1.25.11`
Fixed version	`1.25.11`
EPSS Score	`0.038%`
EPSS Percentile	`12th percentile`

Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

Affected range	`<1.25.10`
Fixed version	`1.25.10`
EPSS Score	`0.013%`
EPSS Percentile	`2nd percentile`

Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.006%`
EPSS Percentile	`0th percentile`

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.023%`
EPSS Percentile	`7th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.041%`
EPSS Percentile	`13th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.034%`
EPSS Percentile	`11th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.024%`
EPSS Percentile	`7th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.007%`
EPSS Percentile	`1st percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (266:266)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.050%`
EPSS Percentile	`16th percentile`

Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.061%`
EPSS Percentile	`19th percentile`

Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.032%`
EPSS Percentile	`10th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

Affected range	`<0.55.0`
Fixed version	`0.55.0`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

libinput10 1.28.1-1 (deb)

pkg:deb/debian/libinput10@1.28.1-1?arch=s390x&distro=debian-13&upstream=libinput

# Dockerfile (264:264)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

Affected range	`<1.28.1-1+deb13u1`
Fixed version	`1.28.1-1+deb13u1`
EPSS Score	`0.071%`
EPSS Percentile	`22nd percentile`

Description

In libinput before 1.30.4 and 1.31.x before 1.31.3, libinput-device-group unescaped phys output can inject udev properties leading to arbitrary root code execution

libinput 1.31.3-1
https://gitlab.freedesktop.org/libinput/libinput/-/work_items/1296
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/76f0d8a7f57e2868882864b4611281f12f704b55 (main)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/d438100aa14c7899e3f574eaa396e8c5831ff5e6 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/f5ac1e51fffffdc19aace7708175c10840a8b801 (1.31.3)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/fc2262e1c1847021239065e84f39f15492ef05cc (1.30.4)
Fixed by: https://gitlab.freedesktop.org/libinput/libinput/-/commit/b2bde9504d42a5976d76e1f27c640dc561fbd99b (1.30.4)
https://www.openwall.com/lists/oss-security/2026/06/04/5

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (252:252)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`31.104%`
EPSS Percentile	`97th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`3.097%`
EPSS Percentile	`87th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`22.267%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`5.871%`
EPSS Percentile	`91st percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.778%`
EPSS Percentile	`83rd percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-06-15T13:39:48Z

Recommended fixes for image (linux/s390x) `jlp04/elevation-generator:latest`

Base image is debian:latest

Name	13.5
Digest	sha256:7c6b2cfbda75aa8ebddd4634addba1286dc3e7a41ed604041c3eae2de5746c9f
Vulnerabilities
Pushed	4 weeks ago
Size	49 MB
Packages	111
OS	13.5

The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

Try Using Git Repos Again When Adding from GitLab

36289b6

JLP04 added the pr-pull This PR is ready to be merged, and the changes within are ready to be promoted to the `latest` tag label Jun 4, 2026

github-actions Bot merged commit bbd6c6f into main Jun 15, 2026
52 of 91 checks passed

github-actions Bot deleted the try-using-pure-git-for-gitlab branch June 15, 2026 13:40

Conversation

JLP04 commented May 23, 2026

Uh oh!

github-actions Bot commented Jun 4, 2026

Uh oh!

github-actions Bot commented Jun 4, 2026

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

References

For more information

Recommendation

Uh oh!

github-actions Bot commented Jun 4, 2026

Recommended fixes for image (linux/386) ghcr.io/jlp04/elevation-generator:test

Refresh base image

Change base image

Uh oh!

github-actions Bot commented Jun 4, 2026

Overview

Uh oh!

github-actions Bot commented Jun 4, 2026

Uh oh!

github-actions Bot commented Jun 4, 2026

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

References

For more information

Recommendation

Uh oh!

github-actions Bot commented Jun 4, 2026

Recommended fixes for image (linux/amd64) ghcr.io/jlp04/elevation-generator:test

Refresh base image

Change base image

Uh oh!

github-actions Bot commented Jun 4, 2026

Overview

Uh oh!

github-actions Bot commented Jun 4, 2026

Uh oh!

github-actions Bot commented Jun 4, 2026

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/386) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/amd64) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/arm/v5) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/arm/v7) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`