Bump actions/upload-artifact from 5 to 7 by dependabot[bot] · Pull Request #13 · JLP04/docker-elevation-generator

dependabot · 2026-02-27T09:18:53Z

Bumps actions/upload-artifact from 5 to 7.

Release notes

Sourced from actions/upload-artifact's releases.

v7.0.0

v7 What's new

Direct Uploads

Adds support for uploading single files directly (unzipped). Callers can set the new archive parameter to false to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The name parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.

ESM

To support new versions of the @actions/* packages, we've upgraded the package to ESM.

What's Changed

Add proxy integration test by @Link- in actions/upload-artifact#754

Upgrade the module to ESM and bump dependencies by @danwkennedy in actions/upload-artifact#762

Support direct file uploads by @danwkennedy in actions/upload-artifact#764

New Contributors

@Link- made their first contribution in actions/upload-artifact#754

Full Changelog: actions/upload-artifact@v6...v7.0.0

v6.0.0

v6 - What's new

[!IMPORTANT] actions/upload-artifact@v6 now runs on Node.js 24 (runs.using: node24) and requires a minimum Actions Runner version of 2.327.1. If you are using self-hosted runners, ensure they are updated before upgrading.

Node.js 24

This release updates the runtime to Node.js 24. v5 had preliminary support for Node.js 24, however this action was by default still running on Node.js 20. Now this action by default will run on Node.js 24.

What's Changed

Upload Artifact Node 24 support by @salmanmkc in actions/upload-artifact#719

fix: update @actions/artifact for Node.js 24 punycode deprecation by @salmanmkc in actions/upload-artifact#744

prepare release v6.0.0 for Node.js 24 support by @salmanmkc in actions/upload-artifact#745

Full Changelog: actions/upload-artifact@v5.0.0...v6.0.0

Commits

043fb46 Merge pull request #797 from actions/yacaovsnc/update-dependency
634250c Include changes in typespec/ts-http-runtime 0.3.5
e454baa Readme: bump all the example versions to v7 (#796)
74fad66 Update the readme with direct upload details (#795)
bbbca2d Support direct file uploads (#764)
589182c Upgrade the module to ESM and bump dependencies (#762)
47309c9 Merge pull request #754 from actions/Link-/add-proxy-integration-tests
02a8460 Add proxy integration test
b7c566a Merge pull request #745 from actions/upload-artifact-v6-release
e516bc8 docs: correct description of Node.js 24 support in README
Additional commits viewable in compare view

JLP04

Approved.

JLP04 · 2026-04-12T13:52:12Z

@dependabot rebase

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5 to 7. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v5...v7) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-04-19T09:05:40Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-04-19T09:05:44Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:ff9994e47b64d0dcfa9946cbf032ff5ca58709fdace60add7460e743c0aeb924`
vulnerabilities
platform	linux/386
size	9.5 GB
packages	958

📦 Base Image debian:13

also known as	`13.4` `latest` `trixie` `trixie-20260406`
digest	`sha256:ed245c58fad6ea8cfb9a337d25fc2dec6a33129e51ed345184c7ce721956b237`
vulnerabilities

stdlib 1.25.7 (golang)

pkg:golang/stdlib@1.25.7

# Dockerfile (255:255)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.005%`
EPSS Percentile	`0th percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (241:241)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`25.367%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`24.078%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-04-19T09:05:47Z

Recommended fixes for image (linux/386) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.4
Digest	sha256:ed245c58fad6ea8cfb9a337d25fc2dec6a33129e51ed345184c7ce721956b237
Vulnerabilities
Pushed	1 week ago
Size	51 MB
Packages	111
OS	13.4

The base image is also available under the supported tag(s): 13, 13.4, trixie, trixie-20260406

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-04-19T09:06:13Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`c8e9795df392`	`ff9994e47b64`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/18/merge/commit/2b22b04b7db9dc1f4a130273da4314a7df2ed702	https://github.com/JLP04/docker-elevation-generator.git#afa985114c1e84627e03e8f53f37461a8b191f40/commit/afa985114c1e84627e03e8f53f37461a8b191f40
- vulnerabilities
- platform	linux/386	linux/386
- size	9.5 GB	9.5 GB (+30 kB)
- packages	958	958
Base Image	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`
- vulnerabilities

Packages and Vulnerabilities (2 package changes and 0 vulnerability changes)

♾️ 2 packages changed

601 packages unchanged

Changes for packages of type deb (2 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	libgdk-pixbuf-2.0-0	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`
♾️	libgdk-pixbuf2.0-common	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`

github-actions · 2026-04-19T09:06:34Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-04-19T09:06:38Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:5cb2dee67563d8f4e4db1b749040224359378c3ef210a8f40c59609cb1efa645`
vulnerabilities
platform	linux/amd64
size	9.4 GB
packages	962

📦 Base Image debian:13

also known as	`13.4` `latest` `trixie` `trixie-20260406`
digest	`sha256:84cc642701b773b0df5a98553f4bf9aab4ad4d10a34c406e46d33ee1fd548fa7`
vulnerabilities

stdlib 1.25.7 (golang)

pkg:golang/stdlib@1.25.7

# Dockerfile (255:255)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.005%`
EPSS Percentile	`0th percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (241:241)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`25.367%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`24.078%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-04-19T09:06:41Z

Recommended fixes for image (linux/amd64) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.4
Digest	sha256:84cc642701b773b0df5a98553f4bf9aab4ad4d10a34c406e46d33ee1fd548fa7
Vulnerabilities
Pushed	1 week ago
Size	49 MB
Packages	111
OS	13.4

The base image is also available under the supported tag(s): 13, 13.4, trixie, trixie-20260406

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-04-19T09:07:07Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`5a8ba575edf3`	`5cb2dee67563`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/18/merge/commit/2b22b04b7db9dc1f4a130273da4314a7df2ed702	https://github.com/JLP04/docker-elevation-generator.git#afa985114c1e84627e03e8f53f37461a8b191f40/commit/afa985114c1e84627e03e8f53f37461a8b191f40
- vulnerabilities
- platform	linux/amd64	linux/amd64
- size	9.4 GB	9.4 GB (+26 kB)
- packages	962	962
Base Image	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`
- vulnerabilities

Packages and Vulnerabilities (2 package changes and 0 vulnerability changes)

♾️ 2 packages changed

605 packages unchanged

Changes for packages of type deb (2 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	libgdk-pixbuf-2.0-0	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`
♾️	libgdk-pixbuf2.0-common	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`

github-actions · 2026-04-19T09:07:29Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-04-19T09:07:33Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:58a6d0f155614b171db3801ffec3624f20c65db496bad1924d77d25772f924c9`
vulnerabilities
platform	linux/arm/v5
size	9.4 GB
packages	946

📦 Base Image debian:13

also known as	`13.4` `latest` `trixie` `trixie-20260406`
digest	`sha256:ed6a5dc84700de6592eae3b7933511474529135335568be6a90ab9bffa68070d`
vulnerabilities

stdlib 1.25.7 (golang)

pkg:golang/stdlib@1.25.7

# Dockerfile (255:255)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.005%`
EPSS Percentile	`0th percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (241:241)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`25.367%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`24.078%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-04-19T09:07:37Z

Recommended fixes for image (linux/arm/v5) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.4
Digest	sha256:ed6a5dc84700de6592eae3b7933511474529135335568be6a90ab9bffa68070d
Vulnerabilities
Pushed	1 week ago
Size	48 MB
Packages	112
OS	13.4

The base image is also available under the supported tag(s): 13, 13.4, trixie, trixie-20260406

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-04-19T09:08:03Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`87c2e5de3f75`	`58a6d0f15561`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/18/merge/commit/2b22b04b7db9dc1f4a130273da4314a7df2ed702	https://github.com/JLP04/docker-elevation-generator.git#afa985114c1e84627e03e8f53f37461a8b191f40/commit/afa985114c1e84627e03e8f53f37461a8b191f40
- vulnerabilities
- platform	linux/arm	linux/arm
- size	9.4 GB	9.4 GB (+30 kB)
- packages	946	946
Base Image	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`
- vulnerabilities

Packages and Vulnerabilities (2 package changes and 0 vulnerability changes)

♾️ 2 packages changed

597 packages unchanged

Changes for packages of type deb (2 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	libgdk-pixbuf-2.0-0	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`
♾️	libgdk-pixbuf2.0-common	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`

github-actions · 2026-04-19T09:08:25Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-04-19T09:08:30Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:5caa7764c1f17a52d3576940218e9d25d9d5a2bec1ecf5781b7d4a5b8647d52b`
vulnerabilities
platform	linux/arm/v7
size	9.4 GB
packages	945

📦 Base Image debian:13

also known as	`13.4` `latest` `trixie` `trixie-20260406`
digest	`sha256:6a19f1d932905b07c6a419e2ab2a4472fa87c3ea0619264ca9e482261f78b524`
vulnerabilities

stdlib 1.25.7 (golang)

pkg:golang/stdlib@1.25.7

# Dockerfile (255:255)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.005%`
EPSS Percentile	`0th percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (241:241)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`25.367%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`24.078%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-04-19T09:08:33Z

Recommended fixes for image (linux/arm/v7) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.4
Digest	sha256:6a19f1d932905b07c6a419e2ab2a4472fa87c3ea0619264ca9e482261f78b524
Vulnerabilities
Pushed	1 week ago
Size	46 MB
Packages	111
OS	13.4

The base image is also available under the supported tag(s): 13, 13.4, trixie, trixie-20260406

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-04-19T09:08:58Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`fc6f2348d62d`	`5caa7764c1f1`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/18/merge/commit/2b22b04b7db9dc1f4a130273da4314a7df2ed702	https://github.com/JLP04/docker-elevation-generator.git#afa985114c1e84627e03e8f53f37461a8b191f40/commit/afa985114c1e84627e03e8f53f37461a8b191f40
- vulnerabilities
- platform	linux/arm	linux/arm
- size	9.4 GB	9.4 GB (+15 kB)
- packages	945	945
Base Image	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`
- vulnerabilities

Packages and Vulnerabilities (2 package changes and 0 vulnerability changes)

♾️ 2 packages changed

597 packages unchanged

Changes for packages of type deb (2 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	libgdk-pixbuf-2.0-0	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`
♾️	libgdk-pixbuf2.0-common	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`

github-actions · 2026-04-19T09:09:21Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-04-19T09:09:25Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:ebbdef63ce949e575690df7c6725f0cacb03c9378d4a2b3cd9ffbdf41963d160`
vulnerabilities
platform	linux/arm64
size	9.4 GB
packages	959

📦 Base Image debian:13

also known as	`13.4` `latest` `trixie` `trixie-20260406`
digest	`sha256:bbf332fa3a2b2a2836e2c170fd4affc4162d3323d47401a56128460275500655`
vulnerabilities

stdlib 1.25.7 (golang)

pkg:golang/stdlib@1.25.7

# Dockerfile (255:255)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.005%`
EPSS Percentile	`0th percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (241:241)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`25.367%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`24.078%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-04-19T09:09:29Z

Recommended fixes for image (linux/arm64) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.4
Digest	sha256:bbf332fa3a2b2a2836e2c170fd4affc4162d3323d47401a56128460275500655
Vulnerabilities
Pushed	1 week ago
Size	50 MB
Packages	111
OS	13.4

The base image is also available under the supported tag(s): 13, 13.4, trixie, trixie-20260406

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-04-19T09:09:56Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`5b83a5f7ea3a`	`ebbdef63ce94`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/18/merge/commit/2b22b04b7db9dc1f4a130273da4314a7df2ed702	https://github.com/JLP04/docker-elevation-generator.git#afa985114c1e84627e03e8f53f37461a8b191f40/commit/afa985114c1e84627e03e8f53f37461a8b191f40
- vulnerabilities
- platform	linux/arm64	linux/arm64
- size	9.4 GB	9.4 GB (+28 kB)
- packages	959	959
Base Image	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`
- vulnerabilities

Packages and Vulnerabilities (2 package changes and 0 vulnerability changes)

♾️ 2 packages changed

603 packages unchanged

Changes for packages of type deb (2 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	libgdk-pixbuf-2.0-0	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`
♾️	libgdk-pixbuf2.0-common	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`

github-actions · 2026-04-19T09:10:17Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-04-19T09:10:22Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:95e9ada35fd76edb147668cff4805c8da48b43e57fa1b273bbea3eb251edca7d`
vulnerabilities
platform	linux/ppc64le
size	9.5 GB
packages	955

📦 Base Image debian:13

also known as	`13.4` `latest` `trixie` `trixie-20260406`
digest	`sha256:326faa80f494fd4350b44236f4b48b829f6436a74c40d92fb22bb8123c051ecd`
vulnerabilities

stdlib 1.25.0 (golang)

pkg:golang/stdlib@1.25.0

# Dockerfile (255:255)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0-0 <1.25.7`
Fixed version	`1.25.7`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.023%`
EPSS Percentile	`6th percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.034%`
EPSS Percentile	`10th percentile`

Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.040%`
EPSS Percentile	`12th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.039%`
EPSS Percentile	`11th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.3`
Fixed version	`1.25.3`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`>=1.25.0 <1.25.1`
Fixed version	`1.25.1`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.037%`
EPSS Percentile	`11th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.022%`
EPSS Percentile	`6th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.005%`
EPSS Percentile	`0th percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (241:241)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`25.367%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`24.078%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-04-19T09:10:25Z

Recommended fixes for image (linux/ppc64le) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.4
Digest	sha256:326faa80f494fd4350b44236f4b48b829f6436a74c40d92fb22bb8123c051ecd
Vulnerabilities
Pushed	1 week ago
Size	53 MB
Packages	111
OS	13.4

The base image is also available under the supported tag(s): 13, 13.4, trixie, trixie-20260406

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-04-19T09:10:51Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`c90b6307e23b`	`95e9ada35fd7`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/18/merge/commit/2b22b04b7db9dc1f4a130273da4314a7df2ed702	https://github.com/JLP04/docker-elevation-generator.git#afa985114c1e84627e03e8f53f37461a8b191f40/commit/afa985114c1e84627e03e8f53f37461a8b191f40
- vulnerabilities
- platform	linux/ppc64le	linux/ppc64le
- size	9.5 GB	9.5 GB (+23 kB)
- packages	955	955
Base Image	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`
- vulnerabilities

Packages and Vulnerabilities (2 package changes and 0 vulnerability changes)

♾️ 2 packages changed

600 packages unchanged

Changes for packages of type deb (2 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	libgdk-pixbuf-2.0-0	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`
♾️	libgdk-pixbuf2.0-common	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`

github-actions · 2026-04-19T09:11:13Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-04-19T09:11:18Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:98f66431db2ad008c49f69034bd374cadb532e56c7e6bd1de3f0373fec639348`
vulnerabilities
platform	linux/riscv64
size	9.4 GB
packages	950

📦 Base Image debian:13

also known as	`13.4` `latest` `trixie` `trixie-20260406`
digest	`sha256:47d044b8fd14b3d84b55875aec5fd6eda38f2a975ab4cedd2130f128f4a8b978`
vulnerabilities

stdlib 1.25.7 (golang)

pkg:golang/stdlib@1.25.7

# Dockerfile (255:255)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.005%`
EPSS Percentile	`0th percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (241:241)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`25.367%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`24.078%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-04-19T09:11:22Z

Recommended fixes for image (linux/riscv64) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.4
Digest	sha256:47d044b8fd14b3d84b55875aec5fd6eda38f2a975ab4cedd2130f128f4a8b978
Vulnerabilities
Pushed	1 week ago
Size	48 MB
Packages	109
OS	13.4

The base image is also available under the supported tag(s): 13, 13.4, trixie, trixie-20260406

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-04-19T09:11:49Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`a41d298236ad`	`98f66431db2a`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/18/merge/commit/2b22b04b7db9dc1f4a130273da4314a7df2ed702	https://github.com/JLP04/docker-elevation-generator.git#afa985114c1e84627e03e8f53f37461a8b191f40/commit/afa985114c1e84627e03e8f53f37461a8b191f40
- vulnerabilities
- platform	linux/riscv64	linux/riscv64
- size	9.4 GB	9.4 GB (+19 kB)
- packages	950	950
Base Image	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`
- vulnerabilities

Packages and Vulnerabilities (2 package changes and 0 vulnerability changes)

♾️ 2 packages changed

597 packages unchanged

Changes for packages of type deb (2 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	libgdk-pixbuf-2.0-0	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`
♾️	libgdk-pixbuf2.0-common	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`

github-actions · 2026-04-19T09:12:11Z


Your image	`ghcr.io/jlp04/elevation-generator:test`
Current base image	`debian:latest`

github-actions · 2026-04-19T09:12:16Z

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

📦 Image Reference ghcr.io/jlp04/elevation-generator:test

digest	`sha256:397c5733d66692ff77e947ca64bbbb1384e10ffb26a1de49b3532184ddba5f93`
vulnerabilities
platform	linux/s390x
size	9.5 GB
packages	949

📦 Base Image debian:13

also known as	`13.4` `latest` `trixie` `trixie-20260406`
digest	`sha256:28a83b3d7d0a1e827c4e7f9c464ff48d8578f2f379de822e88b481324c244b72`
vulnerabilities

stdlib 1.25.0 (golang)

pkg:golang/stdlib@1.25.0

# Dockerfile (255:255)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

Affected range	`>=1.25.0-0 <1.25.7`
Fixed version	`1.25.7`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.015%`
EPSS Percentile	`3rd percentile`

Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.018%`
EPSS Percentile	`4th percentile`

Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.033%`
EPSS Percentile	`10th percentile`

Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.023%`
EPSS Percentile	`6th percentile`

Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.034%`
EPSS Percentile	`10th percentile`

Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.040%`
EPSS Percentile	`12th percentile`

Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.039%`
EPSS Percentile	`11th percentile`

Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.3`
Fixed version	`1.25.3`
EPSS Score	`0.018%`
EPSS Percentile	`5th percentile`

Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.019%`
EPSS Percentile	`5th percentile`

Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

Affected range	`>=1.25.0 <1.25.5`
Fixed version	`1.25.5`
EPSS Score	`0.011%`
EPSS Percentile	`1st percentile`

Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.008%`
EPSS Percentile	`1st percentile`

Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.010%`
EPSS Percentile	`1st percentile`

Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

Affected range	`<1.25.9`
Fixed version	`1.25.9`
EPSS Score	`0.004%`
EPSS Percentile	`0th percentile`

Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

Affected range	`>=1.25.0 <1.25.1`
Fixed version	`1.25.1`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

Affected range	`>=1.25.0 <1.25.6`
Fixed version	`1.25.6`
EPSS Score	`0.009%`
EPSS Percentile	`1st percentile`

Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.021%`
EPSS Percentile	`6th percentile`

Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.012%`
EPSS Percentile	`2nd percentile`

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.037%`
EPSS Percentile	`11th percentile`

Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.031%`
EPSS Percentile	`9th percentile`

Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.022%`
EPSS Percentile	`6th percentile`

Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

Affected range	`>=1.25.0 <1.25.2`
Fixed version	`1.25.2`
EPSS Score	`0.017%`
EPSS Percentile	`4th percentile`

Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

Affected range	`<1.25.8`
Fixed version	`1.25.8`
EPSS Score	`0.005%`
EPSS Percentile	`0th percentile`

Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (241:241)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`25.367%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:
$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );
will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`2.921%`
EPSS Percentile	`86th percentile`

Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );
will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.0`
Fixed version	`1.13.0`
CVSS Score	`6.5`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N`
EPSS Score	`24.078%`
EPSS Percentile	`96th percentile`

Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:
$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );
will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.13.2`
Fixed version	`1.13.2`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`10.183%`
EPSS Percentile	`93rd percentile`

Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:
<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>
and calling:
$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );
will turn the initial HTML into:
<label>
	
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>
and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:
<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>
References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range	`<1.12.0`
Fixed version	`1.12.0`
CVSS Score	`6.1`
CVSS Vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N`
EPSS Score	`1.397%`
EPSS Percentile	`80th percentile`

Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range	`<=1.11.4`
Fixed version	`1.12.0`

Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

github-actions · 2026-04-19T09:12:19Z

Recommended fixes for image (linux/s390x) `ghcr.io/jlp04/elevation-generator:test`

Base image is debian:latest

Name	13.4
Digest	sha256:28a83b3d7d0a1e827c4e7f9c464ff48d8578f2f379de822e88b481324c244b72
Vulnerabilities
Pushed	1 week ago
Size	49 MB
Packages	111
OS	13.4

The base image is also available under the supported tag(s): 13, 13.4, trixie, trixie-20260406

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

github-actions · 2026-04-19T09:12:46Z

Overview

Image reference	`jlp04/elevation-generator:latest`	`ghcr.io/jlp04/elevation-generator:test`
- digest	`77df89e31edb`	`397c5733d666`
- tag	`latest`	`test`
- provenance	https://github.com/JLP04/docker-elevation-generator.git#refs/pull/18/merge/commit/2b22b04b7db9dc1f4a130273da4314a7df2ed702	https://github.com/JLP04/docker-elevation-generator.git#afa985114c1e84627e03e8f53f37461a8b191f40/commit/afa985114c1e84627e03e8f53f37461a8b191f40
- vulnerabilities
- platform	linux/s390x	linux/s390x
- size	9.5 GB	9.5 GB (+22 kB)
- packages	949	949
Base Image	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`	`debian:latest` also known as: • `13` • `13.4` • `trixie` • `trixie-20260406`
- vulnerabilities

Packages and Vulnerabilities (2 package changes and 0 vulnerability changes)

♾️ 2 packages changed

594 packages unchanged

Changes for packages of type deb (2 changes)

	Package	Version `jlp04/elevation-generator:latest`	Version `ghcr.io/jlp04/elevation-generator:test`
♾️	libgdk-pixbuf-2.0-0	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`
♾️	libgdk-pixbuf2.0-common	`2.42.12+dfsg-4`	`2.42.12+dfsg-4+deb13u1`

dependabot Bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code labels Feb 27, 2026

dependabot Bot mentioned this pull request Feb 27, 2026

Bump actions/upload-artifact from 5 to 6 #11

Closed

JLP04 added the run-ci-pr This triggers the ci-pr workflow to be run on a given pull request label Apr 9, 2026

JLP04 approved these changes Apr 9, 2026

View reviewed changes

JLP04 removed the run-ci-pr This triggers the ci-pr workflow to be run on a given pull request label Apr 12, 2026

dependabot Bot force-pushed the dependabot/github_actions/actions/upload-artifact-7 branch from 7e9f5d9 to 2200e1f Compare April 12, 2026 13:53

JLP04 added run-ci-pr This triggers the ci-pr workflow to be run on a given pull request and removed run-ci-pr This triggers the ci-pr workflow to be run on a given pull request labels Apr 12, 2026

JLP04 added pr-pull This PR is ready to be merged, and the changes within are ready to be promoted to the `latest` tag and removed pr-pull This PR is ready to be merged, and the changes within are ready to be promoted to the `latest` tag labels Apr 20, 2026

Conversation

dependabot Bot commented on behalf of github Feb 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v7.0.0

v7 What's new

Direct Uploads

ESM

What's Changed

New Contributors

v6.0.0

v6 - What's new

Node.js 24

What's Changed

Uh oh!

JLP04 left a comment

Choose a reason for hiding this comment

Uh oh!

JLP04 commented Apr 12, 2026

Uh oh!

github-actions Bot commented Apr 19, 2026

Uh oh!

github-actions Bot commented Apr 19, 2026

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

References

For more information

Recommendation

Uh oh!

github-actions Bot commented Apr 19, 2026

Recommended fixes for image (linux/386) ghcr.io/jlp04/elevation-generator:test

Refresh base image

Change base image

Uh oh!

github-actions Bot commented Apr 19, 2026

Overview

Uh oh!

github-actions Bot commented Apr 19, 2026

Uh oh!

github-actions Bot commented Apr 19, 2026

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

For more information

Impact

Patches

Workarounds

References

For more information

Recommendation

Uh oh!

github-actions Bot commented Apr 19, 2026

Recommended fixes for image (linux/amd64) ghcr.io/jlp04/elevation-generator:test

Refresh base image

Change base image

Uh oh!

github-actions Bot commented Apr 19, 2026

Overview

dependabot Bot commented on behalf of github Feb 27, 2026 •

edited

Loading

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/386) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/amd64) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/arm/v5) `ghcr.io/jlp04/elevation-generator:test`

🔍 Vulnerabilities of `ghcr.io/jlp04/elevation-generator:test`

Recommended fixes for image (linux/arm/v7) `ghcr.io/jlp04/elevation-generator:test`