Skip to content

Add World Scenery 3.0#23

Merged
github-actions[bot] merged 2 commits into
mainfrom
ws30
Jun 30, 2026
Merged

Add World Scenery 3.0#23
github-actions[bot] merged 2 commits into
mainfrom
ws30

Conversation

@JLP04

@JLP04 JLP04 commented Jun 20, 2026

Copy link
Copy Markdown
Owner

Adds Support for World Scenery 3.0.

@github-actions

Copy link
Copy Markdown
Contributor
Your image ghcr.io/jlp04/elevation-generator:test critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test
digestsha256:4ef8686f3a33dda167ec1c5c98ff6f973a165c46c18d51337e923b711d706a05
vulnerabilitiescritical: 8 high: 3 medium: 16 low: 0 unspecified: 1
platformlinux/386
size9.5 GB
packages959
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:43a1b0313184cc462f1179148656274c09d389041ae7fdaa135cb5604e11c388
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.319%
EPSS Percentile23rd percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.305%
EPSS Percentile22nd percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.299%
EPSS Percentile21st percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.330%
EPSS Percentile25th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.309%
EPSS Percentile22nd percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.378%
EPSS Percentile29th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.276%
EPSS Percentile19th percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.204%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.173%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.325%
EPSS Percentile24th percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.208%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.340%
EPSS Percentile26th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.249%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.384%
EPSS Percentile30th percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.325%
EPSS Percentile24th percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.263%
EPSS Percentile17th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.895%
EPSS Percentile77th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/386) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name13.5
Digestsha256:43a1b0313184cc462f1179148656274c09d389041ae7fdaa135cb5604e11c388
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed1 week ago
Size51 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260610

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Overview

Image reference jlp04/elevation-generator:latest ghcr.io/jlp04/elevation-generator:test
- digest be5343bb71f8 4ef8686f3a33
- tag latest test
- provenance https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d https://github.com/JLP04/docker-elevation-generator.git#refs/pull/23/merge/commit/6e35d695e714545d0541d342e7ad15f649cdf8dd
- vulnerabilities critical: 8 high: 4 medium: 22 low: 45 unspecified: 6 critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
- platform linux/386 linux/386
- size 9.5 GB 9.5 GB (+149 kB)
- packages 959 959
Base Image debian:latest
also known as:
13
13.5
trixie
debian:latest
also known as:
13
13.5
trixie
trixie-20260610
- vulnerabilities critical: 1 high: 6 medium: 4 low: 35 unspecified: 2 critical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Packages and Vulnerabilities (9 package changes and 1 vulnerability changes)
  • ♾️ 9 packages changed
  • 595 packages unchanged
  • ✔️ 1 vulnerabilities removed
Changes for packages of type deb (9 changes)
Package Version
jlp04/elevation-generator:latest
Version
ghcr.io/jlp04/elevation-generator:test
♾️ libinput-bin 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput-dev 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput10 1.28.1-1 1.28.1-1+deb13u1
critical: 0 high: 1 medium: 0 low: 0
Removed vulnerabilities (1):
  • high : CVE--2026--50292
♾️ libjxl0.11 0.11.2-0.1~deb13u1 0.11.2-0.1~deb13u2
♾️ librabbitmq4 0.15.0-1 0.15.0-1+deb13u1
♾️ libssl-dev 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ libssl3t64 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl-provider-legacy 3.5.6-1~deb13u1 3.5.6-1~deb13u2

@github-actions

Copy link
Copy Markdown
Contributor
Your image ghcr.io/jlp04/elevation-generator:test critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test
digestsha256:4699039684ad6ae25e4e6ac88c843ba66fac754367570c0b69c4c1b467abe984
vulnerabilitiescritical: 8 high: 3 medium: 16 low: 0 unspecified: 1
platformlinux/amd64
size9.4 GB
packages963
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:ed49f2fa955a92dd859d7e2bdd101138b6db7ca855af572212d910d4e1445cc2
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.319%
EPSS Percentile23rd percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.305%
EPSS Percentile22nd percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.299%
EPSS Percentile21st percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.330%
EPSS Percentile25th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.309%
EPSS Percentile22nd percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.378%
EPSS Percentile29th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.276%
EPSS Percentile19th percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.204%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.173%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.325%
EPSS Percentile24th percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.208%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.340%
EPSS Percentile26th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.249%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.384%
EPSS Percentile30th percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.325%
EPSS Percentile24th percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.263%
EPSS Percentile17th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.895%
EPSS Percentile77th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/amd64) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name13.5
Digestsha256:ed49f2fa955a92dd859d7e2bdd101138b6db7ca855af572212d910d4e1445cc2
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed1 week ago
Size49 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260610

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Overview

Image reference jlp04/elevation-generator:latest ghcr.io/jlp04/elevation-generator:test
- digest d9d66e0c5a2a 4699039684ad
- tag latest test
- provenance https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d https://github.com/JLP04/docker-elevation-generator.git#refs/pull/23/merge/commit/6e35d695e714545d0541d342e7ad15f649cdf8dd
- vulnerabilities critical: 8 high: 4 medium: 22 low: 45 unspecified: 6 critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
- platform linux/amd64 linux/amd64
- size 9.4 GB 9.4 GB (+162 kB)
- packages 963 963
Base Image debian:latest
also known as:
13
13.5
trixie
debian:latest
also known as:
13
13.5
trixie
trixie-20260610
- vulnerabilities critical: 1 high: 6 medium: 4 low: 35 unspecified: 2 critical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Packages and Vulnerabilities (9 package changes and 1 vulnerability changes)
  • ♾️ 9 packages changed
  • 599 packages unchanged
  • ✔️ 1 vulnerabilities removed
Changes for packages of type deb (9 changes)
Package Version
jlp04/elevation-generator:latest
Version
ghcr.io/jlp04/elevation-generator:test
♾️ libinput-bin 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput-dev 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput10 1.28.1-1 1.28.1-1+deb13u1
critical: 0 high: 1 medium: 0 low: 0
Removed vulnerabilities (1):
  • high : CVE--2026--50292
♾️ libjxl0.11 0.11.2-0.1~deb13u1 0.11.2-0.1~deb13u2
♾️ librabbitmq4 0.15.0-1 0.15.0-1+deb13u1
♾️ libssl-dev 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ libssl3t64 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl-provider-legacy 3.5.6-1~deb13u1 3.5.6-1~deb13u2

@github-actions

Copy link
Copy Markdown
Contributor
Your image ghcr.io/jlp04/elevation-generator:test critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test
digestsha256:f365c5186036a8ddf75e2eef719fdc06353e156927065013bed1f6485a808395
vulnerabilitiescritical: 8 high: 3 medium: 16 low: 0 unspecified: 1
platformlinux/arm/v5
size9.4 GB
packages947
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:5e0501ac7a3d3600621a63da8b4d70a9d8cd913b2f368cdba18c8dcae36b9173
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.319%
EPSS Percentile23rd percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.305%
EPSS Percentile22nd percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.299%
EPSS Percentile21st percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.330%
EPSS Percentile25th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.309%
EPSS Percentile22nd percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.378%
EPSS Percentile29th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.276%
EPSS Percentile19th percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.204%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.173%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.325%
EPSS Percentile24th percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.208%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.340%
EPSS Percentile26th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.249%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.384%
EPSS Percentile30th percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.325%
EPSS Percentile24th percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.263%
EPSS Percentile17th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.895%
EPSS Percentile77th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/arm/v5) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name13.5
Digestsha256:5e0501ac7a3d3600621a63da8b4d70a9d8cd913b2f368cdba18c8dcae36b9173
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed1 week ago
Size48 MB
Packages112
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260610

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Overview

Image reference jlp04/elevation-generator:latest ghcr.io/jlp04/elevation-generator:test
- digest 3c7394cf0ad6 f365c5186036
- tag latest test
- provenance https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d https://github.com/JLP04/docker-elevation-generator.git#refs/pull/23/merge/commit/6e35d695e714545d0541d342e7ad15f649cdf8dd
- vulnerabilities critical: 8 high: 4 medium: 22 low: 45 unspecified: 6 critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
- platform linux/arm linux/arm
- size 9.4 GB 9.4 GB (+153 kB)
- packages 947 947
Base Image debian:latest
also known as:
13
13.5
trixie
debian:latest
also known as:
13
13.5
trixie
trixie-20260610
- vulnerabilities critical: 1 high: 6 medium: 4 low: 35 unspecified: 2 critical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Packages and Vulnerabilities (9 package changes and 1 vulnerability changes)
  • ♾️ 9 packages changed
  • 591 packages unchanged
  • ✔️ 1 vulnerabilities removed
Changes for packages of type deb (9 changes)
Package Version
jlp04/elevation-generator:latest
Version
ghcr.io/jlp04/elevation-generator:test
♾️ libinput-bin 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput-dev 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput10 1.28.1-1 1.28.1-1+deb13u1
critical: 0 high: 1 medium: 0 low: 0
Removed vulnerabilities (1):
  • high : CVE--2026--50292
♾️ libjxl0.11 0.11.2-0.1~deb13u1 0.11.2-0.1~deb13u2
♾️ librabbitmq4 0.15.0-1 0.15.0-1+deb13u1
♾️ libssl-dev 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ libssl3t64 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl-provider-legacy 3.5.6-1~deb13u1 3.5.6-1~deb13u2

@github-actions

Copy link
Copy Markdown
Contributor
Your image ghcr.io/jlp04/elevation-generator:test critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test
digestsha256:75612312165a2a627e5db345c2019266b03fe1cb2381c80e367afec0d9f1303b
vulnerabilitiescritical: 8 high: 3 medium: 16 low: 0 unspecified: 1
platformlinux/arm/v7
size9.4 GB
packages946
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:c5d1e60f16e61e490418bcbc4e5e69bd1173cb2bed2d148c4716e9eb428ce5b1
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.319%
EPSS Percentile23rd percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.305%
EPSS Percentile22nd percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.299%
EPSS Percentile21st percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.330%
EPSS Percentile25th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.309%
EPSS Percentile22nd percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.378%
EPSS Percentile29th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.276%
EPSS Percentile19th percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.204%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.173%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.325%
EPSS Percentile24th percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.208%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.340%
EPSS Percentile26th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.249%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.384%
EPSS Percentile30th percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.325%
EPSS Percentile24th percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.263%
EPSS Percentile17th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.895%
EPSS Percentile77th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/arm/v7) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name13.5
Digestsha256:c5d1e60f16e61e490418bcbc4e5e69bd1173cb2bed2d148c4716e9eb428ce5b1
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed1 week ago
Size46 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260610

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Overview

Image reference jlp04/elevation-generator:latest ghcr.io/jlp04/elevation-generator:test
- digest 1de2cb5e4c2f 75612312165a
- tag latest test
- provenance https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d https://github.com/JLP04/docker-elevation-generator.git#refs/pull/23/merge/commit/6e35d695e714545d0541d342e7ad15f649cdf8dd
- vulnerabilities critical: 8 high: 4 medium: 22 low: 45 unspecified: 6 critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
- platform linux/arm linux/arm
- size 9.4 GB 9.4 GB (+172 kB)
- packages 946 946
Base Image debian:latest
also known as:
13
13.5
trixie
debian:latest
also known as:
13
13.5
trixie
trixie-20260610
- vulnerabilities critical: 1 high: 6 medium: 4 low: 35 unspecified: 2 critical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Packages and Vulnerabilities (9 package changes and 1 vulnerability changes)
  • ♾️ 9 packages changed
  • 591 packages unchanged
  • ✔️ 1 vulnerabilities removed
Changes for packages of type deb (9 changes)
Package Version
jlp04/elevation-generator:latest
Version
ghcr.io/jlp04/elevation-generator:test
♾️ libinput-bin 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput-dev 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput10 1.28.1-1 1.28.1-1+deb13u1
critical: 0 high: 1 medium: 0 low: 0
Removed vulnerabilities (1):
  • high : CVE--2026--50292
♾️ libjxl0.11 0.11.2-0.1~deb13u1 0.11.2-0.1~deb13u2
♾️ librabbitmq4 0.15.0-1 0.15.0-1+deb13u1
♾️ libssl-dev 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ libssl3t64 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl-provider-legacy 3.5.6-1~deb13u1 3.5.6-1~deb13u2

@github-actions

Copy link
Copy Markdown
Contributor
Your image ghcr.io/jlp04/elevation-generator:test critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test
digestsha256:07a673edc773d023fd8382f87f4e021e4b5b071020894e4237a5638f1e0cb480
vulnerabilitiescritical: 8 high: 3 medium: 16 low: 0 unspecified: 1
platformlinux/arm64
size9.4 GB
packages960
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:b407d8d85413b48428f0fccb4349113d50b07ab20342d991f351e8679950fa8e
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.319%
EPSS Percentile23rd percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.305%
EPSS Percentile22nd percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.299%
EPSS Percentile21st percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.330%
EPSS Percentile25th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.309%
EPSS Percentile22nd percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.378%
EPSS Percentile29th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.276%
EPSS Percentile19th percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.204%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.173%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.325%
EPSS Percentile24th percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.208%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.340%
EPSS Percentile26th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.249%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.384%
EPSS Percentile30th percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.325%
EPSS Percentile24th percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.263%
EPSS Percentile17th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.895%
EPSS Percentile77th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/arm64) ghcr.io/jlp04/elevation-generator:test

Base image is debian:latest

Name13.5
Digestsha256:b407d8d85413b48428f0fccb4349113d50b07ab20342d991f351e8679950fa8e
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed1 week ago
Size50 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie, trixie-20260610

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

github-actions Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

Overview

Image reference jlp04/elevation-generator:latest ghcr.io/jlp04/elevation-generator:test
- digest 243f8039039a 07a673edc773
- tag latest test
- provenance https://github.com/JLP04/docker-elevation-generator.git#refs/pull/22/merge/commit/cd8b4c4083ec1132f53a4cf2f5f3429b4c81655d https://github.com/JLP04/docker-elevation-generator.git#refs/pull/23/merge/commit/6e35d695e714545d0541d342e7ad15f649cdf8dd
- vulnerabilities critical: 8 high: 4 medium: 22 low: 45 unspecified: 6 critical: 8 high: 3 medium: 22 low: 45 unspecified: 6
- platform linux/arm64 linux/arm64
- size 9.4 GB 9.4 GB (+161 kB)
- packages 960 960
Base Image debian:latest
also known as:
13
13.5
trixie
debian:latest
also known as:
13
13.5
trixie
trixie-20260610
- vulnerabilities critical: 1 high: 6 medium: 4 low: 35 unspecified: 2 critical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Packages and Vulnerabilities (9 package changes and 1 vulnerability changes)
  • ♾️ 9 packages changed
  • 597 packages unchanged
  • ✔️ 1 vulnerabilities removed
Changes for packages of type deb (9 changes)
Package Version
jlp04/elevation-generator:latest
Version
ghcr.io/jlp04/elevation-generator:test
♾️ libinput-bin 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput-dev 1.28.1-1 1.28.1-1+deb13u1
♾️ libinput10 1.28.1-1 1.28.1-1+deb13u1
critical: 0 high: 1 medium: 0 low: 0
Removed vulnerabilities (1):
  • high : CVE--2026--50292
♾️ libjxl0.11 0.11.2-0.1~deb13u1 0.11.2-0.1~deb13u2
♾️ librabbitmq4 0.15.0-1 0.15.0-1+deb13u1
♾️ libssl-dev 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ libssl3t64 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl 3.5.6-1~deb13u1 3.5.6-1~deb13u2
♾️ openssl-provider-legacy 3.5.6-1~deb13u1 3.5.6-1~deb13u2

@github-actions

Copy link
Copy Markdown
Contributor
Your image ghcr.io/jlp04/elevation-generator:test critical: 9 high: 18 medium: 39 low: 46 unspecified: 6
Current base image debian:latest

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of ghcr.io/jlp04/elevation-generator:test

📦 Image Reference ghcr.io/jlp04/elevation-generator:test
digestsha256:a1c7e5823f12bc147f10eb13bfeb5d24a5bfae216437692f0af4dffd46847436
vulnerabilitiescritical: 9 high: 18 medium: 33 low: 1 unspecified: 1
platformlinux/ppc64le
size9.4 GB
packages956
📦 Base Image oisupport/staging-ppc64le:13
also known as
  • 13.5
  • 71d8394213ba81d5c407fea0a97bc34b7f457fcd87b29a680455170632aa8510
  • latest
  • trixie
  • trixie-20260610
digestsha256:76b9aa62ea1601f1f8d7d84451cff3adc0a04155956ad2697d8f9aaea3301c47
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.319%
EPSS Percentile23rd percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.305%
EPSS Percentile22nd percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.299%
EPSS Percentile21st percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.330%
EPSS Percentile25th percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.309%
EPSS Percentile22nd percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.378%
EPSS Percentile29th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.276%
EPSS Percentile19th percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.204%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.173%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.325%
EPSS Percentile24th percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.208%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 16 medium: 19 low: 1 stdlib 1.25.0 (golang)

pkg:golang/stdlib@1.25.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2025--68121

Affected range>=1.25.0-0
<1.25.7
Fixed version1.25.7
EPSS Score0.765%
EPSS Percentile51st percentile
Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.384%
EPSS Percentile30th percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

high : CVE--2026--42499

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.577%
EPSS Percentile43rd percentile
Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

high : CVE--2026--39836

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.588%
EPSS Percentile43rd percentile
Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

high : CVE--2026--39820

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.369%
EPSS Percentile29th percentile
Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

high : CVE--2026--33814

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.565%
EPSS Percentile42nd percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

high : CVE--2026--33811

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.504%
EPSS Percentile39th percentile
Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

high : CVE--2026--32283

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.449%
EPSS Percentile36th percentile
Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

high : CVE--2026--32281

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.349%
EPSS Percentile27th percentile
Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

high : CVE--2026--32280

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.371%
EPSS Percentile29th percentile
Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

high : CVE--2026--25679

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.520%
EPSS Percentile40th percentile
Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

high : CVE--2025--61729

Affected range>=1.25.0
<1.25.5
Fixed version1.25.5
EPSS Score0.451%
EPSS Percentile36th percentile
Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

high : CVE--2025--61726

Affected range>=1.25.0
<1.25.6
Fixed version1.25.6
EPSS Score0.789%
EPSS Percentile51st percentile
Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

high : CVE--2025--61725

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.573%
EPSS Percentile43rd percentile
Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

high : CVE--2025--61723

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.586%
EPSS Percentile43rd percentile
Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

high : CVE--2025--58188

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.344%
EPSS Percentile26th percentile
Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

high : CVE--2025--58187

Affected range>=1.25.0
<1.25.3
Fixed version1.25.3
EPSS Score0.366%
EPSS Percentile28th percentile
Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.325%
EPSS Percentile24th percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2025--61728

Affected range>=1.25.0
<1.25.6
Fixed version1.25.6
EPSS Score0.643%
EPSS Percentile46th percentile
Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

medium : CVE--2025--61727

Affected range>=1.25.0
<1.25.5
Fixed version1.25.5
EPSS Score0.270%
EPSS Percentile18th percentile
Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

medium : CVE--2026--32282

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.292%
EPSS Percentile21st percentile
Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

medium : CVE--2026--39826

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.371%
EPSS Percentile29th percentile
Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

medium : CVE--2026--39823

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.314%
EPSS Percentile23rd percentile
Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

medium : CVE--2026--32289

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.290%
EPSS Percentile20th percentile
Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

medium : CVE--2026--27142

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.303%
EPSS Percentile22nd percentile
Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

medium : CVE--2026--32288

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.290%
EPSS Percentile20th percentile
Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

medium : CVE--2025--47910

Affected range>=1.25.0
<1.25.1
Fixed version1.25.1
EPSS Score0.308%
EPSS Percentile22nd percentile
Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.263%
EPSS Percentile17th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

medium : CVE--2026--39825

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.390%
EPSS Percentile31st percentile
Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

medium : CVE--2025--61730

Affected range>=1.25.0
<1.25.6
Fixed version1.25.6
EPSS Score0.276%
EPSS Percentile19th percentile
Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

medium : CVE--2025--61724

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.492%
EPSS Percentile38th percentile
Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

medium : CVE--2025--58189

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.414%
EPSS Percentile33rd percentile
Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

medium : CVE--2025--58186

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.500%
EPSS Percentile39th percentile
Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

medium : CVE--2025--58185

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.492%
EPSS Percentile38th percentile
Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

medium : CVE--2025--47912

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.414%
EPSS Percentile33rd percentile
Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

medium : CVE--2025--58183

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.382%
EPSS Percentile30th percentile
Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

low : CVE--2026--27139

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.201%
EPSS Percentile10th percentile
Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.340%
EPSS Percentile26th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.249%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.236%
EPSS Percentile14th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.895%
EPSS Percentile77th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

@JLP04 JLP04 added the pr-pull This PR is ready to be merged, and the changes within are ready to be promoted to the `latest` tag label Jun 21, 2026
@github-actions

Copy link
Copy Markdown
Contributor
Your image jlp04/elevation-generator:latest critical: 8 high: 3 medium: 23 low: 45 unspecified: 18
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of jlp04/elevation-generator:latest

📦 Image Reference jlp04/elevation-generator:latest
digestsha256:4ef8686f3a33dda167ec1c5c98ff6f973a165c46c18d51337e923b711d706a05
vulnerabilitiescritical: 8 high: 3 medium: 17 low: 0 unspecified: 4
platformlinux/386
size9.5 GB
packages959
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:43a1b0313184cc462f1179148656274c09d389041ae7fdaa135cb5604e11c388
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.385%
EPSS Percentile30th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.368%
EPSS Percentile29th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.397%
EPSS Percentile32nd percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.304%
EPSS Percentile22nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.196%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.175%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.210%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.344%
EPSS Percentile26th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.248%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.188%
EPSS Percentile9th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.561%
EPSS Percentile42nd percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.933%
EPSS Percentile78th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

critical: 0 high: 0 medium: 1 low: 0 unspecified: 3libssh2-1t64 1.11.1-1 (deb)

pkg:deb/debian/libssh2-1t64@1.11.1-1?arch=i386&distro=debian-13&upstream=libssh2

# Dockerfile (270:270)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

medium : CVE--2026--7598

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.355%
EPSS Percentile27th percentile
Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.


unspecified : CVE--2026--55200

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.922%
EPSS Percentile56th percentile
Description

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.


unspecified : CVE--2026--55199

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.408%
EPSS Percentile33rd percentile
Description

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.


unspecified : CVE--2025--15661

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.267%
EPSS Percentile18th percentile
Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.


@github-actions

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/386) jlp04/elevation-generator:latest

Base image is debian:latest

Name13.5
Digestsha256:43a1b0313184cc462f1179148656274c09d389041ae7fdaa135cb5604e11c388
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed2 weeks ago
Size51 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

Copy link
Copy Markdown
Contributor
Your image jlp04/elevation-generator:latest critical: 8 high: 3 medium: 23 low: 45 unspecified: 18
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of jlp04/elevation-generator:latest

📦 Image Reference jlp04/elevation-generator:latest
digestsha256:4699039684ad6ae25e4e6ac88c843ba66fac754367570c0b69c4c1b467abe984
vulnerabilitiescritical: 8 high: 3 medium: 17 low: 0 unspecified: 4
platformlinux/amd64
size9.4 GB
packages963
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:ed49f2fa955a92dd859d7e2bdd101138b6db7ca855af572212d910d4e1445cc2
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.385%
EPSS Percentile30th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.368%
EPSS Percentile29th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.397%
EPSS Percentile32nd percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.304%
EPSS Percentile22nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.196%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.175%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.210%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.344%
EPSS Percentile26th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.248%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.188%
EPSS Percentile9th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.561%
EPSS Percentile42nd percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.933%
EPSS Percentile78th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

critical: 0 high: 0 medium: 1 low: 0 unspecified: 3libssh2-1t64 1.11.1-1 (deb)

pkg:deb/debian/libssh2-1t64@1.11.1-1?arch=amd64&distro=debian-13&upstream=libssh2

# Dockerfile (270:270)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

medium : CVE--2026--7598

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.355%
EPSS Percentile27th percentile
Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.


unspecified : CVE--2026--55200

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.922%
EPSS Percentile56th percentile
Description

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.


unspecified : CVE--2026--55199

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.408%
EPSS Percentile33rd percentile
Description

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.


unspecified : CVE--2025--15661

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.267%
EPSS Percentile18th percentile
Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.


@github-actions

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/amd64) jlp04/elevation-generator:latest

Base image is debian:latest

Name13.5
Digestsha256:ed49f2fa955a92dd859d7e2bdd101138b6db7ca855af572212d910d4e1445cc2
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed2 weeks ago
Size49 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

Copy link
Copy Markdown
Contributor
Your image jlp04/elevation-generator:latest critical: 8 high: 3 medium: 23 low: 45 unspecified: 18
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of jlp04/elevation-generator:latest

📦 Image Reference jlp04/elevation-generator:latest
digestsha256:f365c5186036a8ddf75e2eef719fdc06353e156927065013bed1f6485a808395
vulnerabilitiescritical: 8 high: 3 medium: 17 low: 0 unspecified: 4
platformlinux/arm/v5
size9.4 GB
packages947
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:5e0501ac7a3d3600621a63da8b4d70a9d8cd913b2f368cdba18c8dcae36b9173
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.385%
EPSS Percentile30th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.368%
EPSS Percentile29th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.397%
EPSS Percentile32nd percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.304%
EPSS Percentile22nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.196%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.175%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.210%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.344%
EPSS Percentile26th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.248%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.188%
EPSS Percentile9th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.561%
EPSS Percentile42nd percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.933%
EPSS Percentile78th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

critical: 0 high: 0 medium: 1 low: 0 unspecified: 3libssh2-1t64 1.11.1-1 (deb)

pkg:deb/debian/libssh2-1t64@1.11.1-1?arch=armel&distro=debian-13&upstream=libssh2

# Dockerfile (270:270)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

medium : CVE--2026--7598

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.355%
EPSS Percentile27th percentile
Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.


unspecified : CVE--2026--55200

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.922%
EPSS Percentile56th percentile
Description

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.


unspecified : CVE--2026--55199

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.408%
EPSS Percentile33rd percentile
Description

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.


unspecified : CVE--2025--15661

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.267%
EPSS Percentile18th percentile
Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.


@github-actions

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/arm/v5) jlp04/elevation-generator:latest

Base image is debian:latest

Name13.5
Digestsha256:5e0501ac7a3d3600621a63da8b4d70a9d8cd913b2f368cdba18c8dcae36b9173
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed2 weeks ago
Size48 MB
Packages112
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

Copy link
Copy Markdown
Contributor
Your image jlp04/elevation-generator:latest critical: 8 high: 3 medium: 23 low: 45 unspecified: 18
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of jlp04/elevation-generator:latest

📦 Image Reference jlp04/elevation-generator:latest
digestsha256:75612312165a2a627e5db345c2019266b03fe1cb2381c80e367afec0d9f1303b
vulnerabilitiescritical: 8 high: 3 medium: 17 low: 0 unspecified: 4
platformlinux/arm/v7
size9.4 GB
packages946
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:c5d1e60f16e61e490418bcbc4e5e69bd1173cb2bed2d148c4716e9eb428ce5b1
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.385%
EPSS Percentile30th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.368%
EPSS Percentile29th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.397%
EPSS Percentile32nd percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.304%
EPSS Percentile22nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.196%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.175%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.210%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.344%
EPSS Percentile26th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.248%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.188%
EPSS Percentile9th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.561%
EPSS Percentile42nd percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.933%
EPSS Percentile78th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

critical: 0 high: 0 medium: 1 low: 0 unspecified: 3libssh2-1t64 1.11.1-1 (deb)

pkg:deb/debian/libssh2-1t64@1.11.1-1?arch=armhf&distro=debian-13&upstream=libssh2

# Dockerfile (270:270)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

medium : CVE--2026--7598

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.355%
EPSS Percentile27th percentile
Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.


unspecified : CVE--2026--55200

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.922%
EPSS Percentile56th percentile
Description

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.


unspecified : CVE--2026--55199

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.408%
EPSS Percentile33rd percentile
Description

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.


unspecified : CVE--2025--15661

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.267%
EPSS Percentile18th percentile
Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.


@github-actions

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/arm/v7) jlp04/elevation-generator:latest

Base image is debian:latest

Name13.5
Digestsha256:c5d1e60f16e61e490418bcbc4e5e69bd1173cb2bed2d148c4716e9eb428ce5b1
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed2 weeks ago
Size46 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

Copy link
Copy Markdown
Contributor
Your image jlp04/elevation-generator:latest critical: 8 high: 3 medium: 23 low: 45 unspecified: 18
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of jlp04/elevation-generator:latest

📦 Image Reference jlp04/elevation-generator:latest
digestsha256:07a673edc773d023fd8382f87f4e021e4b5b071020894e4237a5638f1e0cb480
vulnerabilitiescritical: 8 high: 3 medium: 17 low: 0 unspecified: 4
platformlinux/arm64
size9.4 GB
packages960
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:b407d8d85413b48428f0fccb4349113d50b07ab20342d991f351e8679950fa8e
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.385%
EPSS Percentile30th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.368%
EPSS Percentile29th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.397%
EPSS Percentile32nd percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.304%
EPSS Percentile22nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.196%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.175%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.210%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.344%
EPSS Percentile26th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.248%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.188%
EPSS Percentile9th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.561%
EPSS Percentile42nd percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.933%
EPSS Percentile78th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

critical: 0 high: 0 medium: 1 low: 0 unspecified: 3libssh2-1t64 1.11.1-1 (deb)

pkg:deb/debian/libssh2-1t64@1.11.1-1?arch=arm64&distro=debian-13&upstream=libssh2

# Dockerfile (270:270)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

medium : CVE--2026--7598

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.355%
EPSS Percentile27th percentile
Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.


unspecified : CVE--2026--55200

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.922%
EPSS Percentile56th percentile
Description

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.


unspecified : CVE--2026--55199

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.408%
EPSS Percentile33rd percentile
Description

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.


unspecified : CVE--2025--15661

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.267%
EPSS Percentile18th percentile
Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.


@github-actions

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/arm64) jlp04/elevation-generator:latest

Base image is debian:latest

Name13.5
Digestsha256:b407d8d85413b48428f0fccb4349113d50b07ab20342d991f351e8679950fa8e
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed2 weeks ago
Size50 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

Copy link
Copy Markdown
Contributor
Your image jlp04/elevation-generator:latest critical: 9 high: 18 medium: 40 low: 46 unspecified: 18
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of jlp04/elevation-generator:latest

📦 Image Reference jlp04/elevation-generator:latest
digestsha256:a1c7e5823f12bc147f10eb13bfeb5d24a5bfae216437692f0af4dffd46847436
vulnerabilitiescritical: 9 high: 18 medium: 34 low: 1 unspecified: 4
platformlinux/ppc64le
size9.4 GB
packages956
📦 Base Image debian:13
also known as
  • 13.5
  • 71d8394213ba81d5c407fea0a97bc34b7f457fcd87b29a680455170632aa8510
  • latest
  • trixie
  • trixie-20260610
digestsha256:76b9aa62ea1601f1f8d7d84451cff3adc0a04155956ad2697d8f9aaea3301c47
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.385%
EPSS Percentile30th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.368%
EPSS Percentile29th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.397%
EPSS Percentile32nd percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.304%
EPSS Percentile22nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.196%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.175%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.210%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 16 medium: 19 low: 1 stdlib 1.25.0 (golang)

pkg:golang/stdlib@1.25.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2025--68121

Affected range>=1.25.0-0
<1.25.7
Fixed version1.25.7
EPSS Score0.765%
EPSS Percentile51st percentile
Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

high : CVE--2026--42499

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.577%
EPSS Percentile43rd percentile
Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

high : CVE--2026--39836

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.588%
EPSS Percentile44th percentile
Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

high : CVE--2026--39820

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.486%
EPSS Percentile38th percentile
Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

high : CVE--2026--33814

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.565%
EPSS Percentile43rd percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

high : CVE--2026--33811

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.588%
EPSS Percentile44th percentile
Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

high : CVE--2026--32283

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.449%
EPSS Percentile36th percentile
Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

high : CVE--2026--32281

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.349%
EPSS Percentile27th percentile
Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

high : CVE--2026--32280

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.378%
EPSS Percentile30th percentile
Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

high : CVE--2026--25679

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.520%
EPSS Percentile40th percentile
Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

high : CVE--2025--61729

Affected range>=1.25.0
<1.25.5
Fixed version1.25.5
EPSS Score0.451%
EPSS Percentile36th percentile
Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

high : CVE--2025--61726

Affected range>=1.25.0
<1.25.6
Fixed version1.25.6
EPSS Score0.761%
EPSS Percentile51st percentile
Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

high : CVE--2025--61725

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.613%
EPSS Percentile45th percentile
Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

high : CVE--2025--61723

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.626%
EPSS Percentile45th percentile
Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

high : CVE--2025--58188

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.361%
EPSS Percentile28th percentile
Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

high : CVE--2025--58187

Affected range>=1.25.0
<1.25.3
Fixed version1.25.3
EPSS Score0.384%
EPSS Percentile30th percentile
Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.561%
EPSS Percentile42nd percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2025--61728

Affected range>=1.25.0
<1.25.6
Fixed version1.25.6
EPSS Score0.643%
EPSS Percentile46th percentile
Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

medium : CVE--2025--61727

Affected range>=1.25.0
<1.25.5
Fixed version1.25.5
EPSS Score0.270%
EPSS Percentile19th percentile
Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

medium : CVE--2026--32282

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.292%
EPSS Percentile21st percentile
Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

medium : CVE--2026--39826

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.371%
EPSS Percentile29th percentile
Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

medium : CVE--2026--39823

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.314%
EPSS Percentile23rd percentile
Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

medium : CVE--2026--32289

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.290%
EPSS Percentile21st percentile
Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

medium : CVE--2026--27142

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.328%
EPSS Percentile25th percentile
Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

medium : CVE--2026--32288

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.290%
EPSS Percentile21st percentile
Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

medium : CVE--2025--47910

Affected range>=1.25.0
<1.25.1
Fixed version1.25.1
EPSS Score0.308%
EPSS Percentile22nd percentile
Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

medium : CVE--2026--39825

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.390%
EPSS Percentile31st percentile
Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

medium : CVE--2025--61730

Affected range>=1.25.0
<1.25.6
Fixed version1.25.6
EPSS Score0.276%
EPSS Percentile19th percentile
Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

medium : CVE--2025--61724

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.526%
EPSS Percentile41st percentile
Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

medium : CVE--2025--58189

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.443%
EPSS Percentile35th percentile
Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

medium : CVE--2025--58186

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.534%
EPSS Percentile41st percentile
Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

medium : CVE--2025--58185

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.526%
EPSS Percentile41st percentile
Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

medium : CVE--2025--47912

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.443%
EPSS Percentile35th percentile
Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

medium : CVE--2025--58183

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.419%
EPSS Percentile34th percentile
Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

low : CVE--2026--27139

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.201%
EPSS Percentile10th percentile
Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.344%
EPSS Percentile26th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.248%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.188%
EPSS Percentile9th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.933%
EPSS Percentile78th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

critical: 0 high: 0 medium: 1 low: 0 unspecified: 3libssh2-1t64 1.11.1-1 (deb)

pkg:deb/debian/libssh2-1t64@1.11.1-1?arch=ppc64el&distro=debian-13&upstream=libssh2

# Dockerfile (270:270)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

medium : CVE--2026--7598

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.355%
EPSS Percentile27th percentile
Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.


unspecified : CVE--2026--55200

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.922%
EPSS Percentile56th percentile
Description

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.


unspecified : CVE--2026--55199

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.408%
EPSS Percentile33rd percentile
Description

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.


unspecified : CVE--2025--15661

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.267%
EPSS Percentile18th percentile
Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.


@github-actions

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/ppc64le) jlp04/elevation-generator:latest

Base image is debian:latest

Name13.5
Digestsha256:76b9aa62ea1601f1f8d7d84451cff3adc0a04155956ad2697d8f9aaea3301c47
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed2 weeks ago
Size53 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

Copy link
Copy Markdown
Contributor
Your image jlp04/elevation-generator:latest critical: 8 high: 3 medium: 23 low: 45 unspecified: 18
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of jlp04/elevation-generator:latest

📦 Image Reference jlp04/elevation-generator:latest
digestsha256:b00c6ab794d9ec4aba72061c73c58baf4955452774af8a4f829ae4088c3f624c
vulnerabilitiescritical: 8 high: 3 medium: 17 low: 0 unspecified: 4
platformlinux/riscv64
size9.4 GB
packages951
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:b89a6fe5894166fa7b0609639fd8a4d1f8727bbb9dd53b8105cf31e8b9951375
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.385%
EPSS Percentile30th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.368%
EPSS Percentile29th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.397%
EPSS Percentile32nd percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.304%
EPSS Percentile22nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.196%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.175%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.210%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.344%
EPSS Percentile26th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.248%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.188%
EPSS Percentile9th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 1 medium: 2 low: 0 stdlib 1.25.10 (golang)

pkg:golang/stdlib@1.25.10

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.561%
EPSS Percentile42nd percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.933%
EPSS Percentile78th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

critical: 0 high: 0 medium: 1 low: 0 unspecified: 3libssh2-1t64 1.11.1-1 (deb)

pkg:deb/debian/libssh2-1t64@1.11.1-1?arch=riscv64&distro=debian-13&upstream=libssh2

# Dockerfile (270:270)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

medium : CVE--2026--7598

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.355%
EPSS Percentile27th percentile
Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.


unspecified : CVE--2026--55200

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.922%
EPSS Percentile56th percentile
Description

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.


unspecified : CVE--2026--55199

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.408%
EPSS Percentile33rd percentile
Description

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.


unspecified : CVE--2025--15661

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.267%
EPSS Percentile18th percentile
Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.


@github-actions

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/riscv64) jlp04/elevation-generator:latest

Base image is debian:latest

Name13.5
Digestsha256:b89a6fe5894166fa7b0609639fd8a4d1f8727bbb9dd53b8105cf31e8b9951375
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed2 weeks ago
Size48 MB
Packages109
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions

Copy link
Copy Markdown
Contributor
Your image jlp04/elevation-generator:latest critical: 9 high: 18 medium: 40 low: 46 unspecified: 18
Current base image debian:latest critical: 1 high: 2 medium: 3 low: 25 unspecified: 2

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Vulnerabilities of jlp04/elevation-generator:latest

📦 Image Reference jlp04/elevation-generator:latest
digestsha256:a1aff34571be77a16d875e7435293e686d34354a6e1845160211b3d7d4c9b216
vulnerabilitiescritical: 9 high: 18 medium: 34 low: 1 unspecified: 4
platformlinux/s390x
size9.4 GB
packages950
📦 Base Image debian:13
also known as
  • 13.5
  • latest
  • trixie
  • trixie-20260610
digestsha256:cf26a338b2e8dc0f098eb1b34f5d0b57189d12dca0974b1fe37f59065f01bbe7
vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
critical: 7 high: 2 medium: 4 low: 0 golang.org/x/crypto 0.51.0 (golang)

pkg:golang/golang.org/x/crypto@0.51.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--46595

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.385%
EPSS Percentile30th percentile
Description

Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped.

critical : CVE--2026--42508

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.368%
EPSS Percentile29th percentile
Description

Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked.

critical : CVE--2026--39834

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.466%
EPSS Percentile37th percentile
Description

When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation.

critical : CVE--2026--39833

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.360%
EPSS Percentile28th percentile
Description

The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested.

critical : CVE--2026--39832

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.397%
EPSS Percentile32nd percentile
Description

When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them.

critical : CVE--2026--39831

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.373%
EPSS Percentile29th percentile
Description

The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback.

critical : CVE--2026--39830

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.392%
EPSS Percentile31st percentile
Description

A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded.

high : CVE--2026--46597

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.359%
EPSS Percentile28th percentile
Description

An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs.

high : CVE--2026--39829

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.304%
EPSS Percentile22nd percentile
Description

The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

medium : CVE--2026--39827

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.196%
EPSS Percentile10th percentile
Description

An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server process and affecting all connected users. Rejected channels are now properly removed from the connection's internal state and released for garbage collection.

medium : CVE--2026--39828

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.175%
EPSS Percentile7th percentile
Description

When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially dropping certificate restrictions such as force-command after a second factor succeeded. Returning non-nil Permissions with PartialSuccessError now results in a connection error.

medium : CVE--2026--46598

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.313%
EPSS Percentile23rd percentile
Description

For certain crafted inputs, a 'ed25519.PrivateKey' was created by casting malformed wire bytes, leading to a panic when used.

medium : CVE--2026--39835

Affected range<0.52.0
Fixed version0.52.0
EPSS Score0.210%
EPSS Percentile11th percentile
Description

SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a certificate. CertChecker now returns an error instead of panicking when these callbacks are nil.

critical: 1 high: 16 medium: 19 low: 1 stdlib 1.25.0 (golang)

pkg:golang/stdlib@1.25.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2025--68121

Affected range>=1.25.0-0
<1.25.7
Fixed version1.25.7
EPSS Score0.765%
EPSS Percentile51st percentile
Description

During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.

high : CVE--2026--42504

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.560%
EPSS Percentile42nd percentile
Description

Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU.

high : CVE--2026--42499

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.577%
EPSS Percentile43rd percentile
Description

Pathological inputs could cause DoS through consumePhrase when parsing an email address according to RFC 5322.

high : CVE--2026--39836

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.588%
EPSS Percentile44th percentile
Description

The Dial and LookupPort functions panic on Windows when provided with an input containing a NUL (0).

high : CVE--2026--39820

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.486%
EPSS Percentile38th percentile
Description

Well-crafted inputs reaching ParseAddress, ParseAddressList, and ParseDate were able to trigger excessive CPU exhaustion and memory allocations.

high : CVE--2026--33814

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.565%
EPSS Percentile43rd percentile
Description

When processing HTTP/2 SETTINGS frames, transport will enter an infinite loop of writing CONTINUATION frames if it receives a SETTINGS_MAX_FRAME_SIZE with a value of 0.

high : CVE--2026--33811

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.588%
EPSS Percentile44th percentile
Description

When using LookupCNAME with the cgo DNS resolver, a very long CNAME response can trigger a double-free of C memory and a crash.

high : CVE--2026--32283

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.449%
EPSS Percentile36th percentile
Description

If one side of the TLS connection sends multiple key update messages post-handshake in a single record, the connection can deadlock, causing uncontrolled consumption of resources. This can lead to a denial of service.

This only affects TLS 1.3.

high : CVE--2026--32281

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.349%
EPSS Percentile27th percentile
Description

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service.

This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

high : CVE--2026--32280

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.378%
EPSS Percentile30th percentile
Description

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

high : CVE--2026--25679

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.520%
EPSS Percentile40th percentile
Description

url.Parse insufficiently validated the host/authority component and accepted some invalid URLs.

high : CVE--2025--61729

Affected range>=1.25.0
<1.25.5
Fixed version1.25.5
EPSS Score0.451%
EPSS Percentile36th percentile
Description

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

high : CVE--2025--61726

Affected range>=1.25.0
<1.25.6
Fixed version1.25.6
EPSS Score0.761%
EPSS Percentile51st percentile
Description

The net/url package does not set a limit on the number of query parameters in a query.

While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.

high : CVE--2025--61725

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.613%
EPSS Percentile45th percentile
Description

The ParseAddress function constructs domain-literal address components through repeated string concatenation. When parsing large domain-literal components, this can cause excessive CPU consumption.

high : CVE--2025--61723

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.626%
EPSS Percentile45th percentile
Description

The processing time for parsing some invalid inputs scales non-linearly with respect to the size of the input.

This affects programs which parse untrusted PEM inputs.

high : CVE--2025--58188

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.361%
EPSS Percentile28th percentile
Description

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method.

This affects programs which validate arbitrary certificate chains.

high : CVE--2025--58187

Affected range>=1.25.0
<1.25.3
Fixed version1.25.3
EPSS Score0.384%
EPSS Percentile30th percentile
Description

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate.

This affects programs which validate arbitrary certificate chains.

medium : CVE--2026--27145

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.561%
EPSS Percentile42nd percentile
Description

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname.

With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

medium : CVE--2025--61728

Affected range>=1.25.0
<1.25.6
Fixed version1.25.6
EPSS Score0.643%
EPSS Percentile46th percentile
Description

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.

medium : CVE--2025--61727

Affected range>=1.25.0
<1.25.5
Fixed version1.25.5
EPSS Score0.270%
EPSS Percentile19th percentile
Description

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

medium : CVE--2026--32282

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.292%
EPSS Percentile21st percentile
Description

On Linux, if the target of Root.Chmod is replaced with a symlink while the chmod operation is in progress, Chmod can operate on the target of the symlink, even when the target lies outside the root.

The Linux fchmodat syscall silently ignores the AT_SYMLINK_NOFOLLOW flag, which Root.Chmod uses to avoid symlink traversal. Root.Chmod checks its target before acting and returns an error if the target is a symlink lying outside the root, so the impact is limited to cases where the target is replaced with a symlink between the check and operation.

medium : CVE--2026--39826

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.371%
EPSS Percentile29th percentile
Description

If a trusted template author were to write a <script> tag containing an empty 'type' attribute or a 'type' attribute with an ASCII whitespace, the execution of the template would incorrectly escape any data passed into the <script> block.

medium : CVE--2026--39823

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.314%
EPSS Percentile23rd percentile
Description

CVE-2026-27142 fixed a vulnerability in which URLs were not correctly escaped inside of a tag's attribute. If the URL content were to insert ASCII whitespaces around the '=' rune inside of the attribute, the escaper would fail to similarly escape it, leading to XSS.

medium : CVE--2026--32289

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.290%
EPSS Percentile21st percentile
Description

Context was not properly tracked across template branches for JS template literals, leading to possibly incorrect escaping of content when branches were used. Additionally template actions within JS template literals did not properly track the brace depth, leading to incorrect escaping being applied.

These issues could cause actions within JS template literals to be incorrectly or improperly escaped, leading to XSS vulnerabilities.

medium : CVE--2026--27142

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.328%
EPSS Percentile25th percentile
Description

Actions which insert URLs into the content attribute of HTML meta tags are not escaped. This can allow XSS if the meta tag also has an http-equiv attribute with the value "refresh".

A new GODEBUG setting has been added, htmlmetacontenturlescape, which can be used to disable escaping URLs in actions in the meta content attribute which follow "url=" by setting htmlmetacontenturlescape=0.

medium : CVE--2026--32288

Affected range<1.25.9
Fixed version1.25.9
EPSS Score0.290%
EPSS Percentile21st percentile
Description

tar.Reader can allocate an unbounded amount of memory when reading a maliciously-crafted archive containing a large number of sparse regions encoded in the "old GNU sparse map" format.

medium : CVE--2025--47910

Affected range>=1.25.0
<1.25.1
Fixed version1.25.1
EPSS Score0.308%
EPSS Percentile22nd percentile
Description

When using http.CrossOriginProtection, the AddInsecureBypassPattern method can unexpectedly bypass more requests than intended. CrossOriginProtection then skips validation, but forwards the original request path, which may be served by a different handler without the intended security protections.

medium : CVE--2026--42507

Affected range<1.25.11
Fixed version1.25.11
EPSS Score0.370%
EPSS Percentile29th percentile
Description

When returning errors, functions in the net/textproto package would include its input as part of the error. This might allow an attacker to inject misleading content to errors that are printed or logged.

medium : CVE--2026--39825

Affected range<1.25.10
Fixed version1.25.10
EPSS Score0.390%
EPSS Percentile31st percentile
Description

ReverseProxy can forward queries containing parameters not visible to Rewrite functions.

When used with a Rewrite function, or a Director function which parses query parameters, ReverseProxy sanitizes the forwarded request to remove query parameters which are not parsed by url.ParseQuery. ReverseProxy does not take ParseQuery's limit on the total number of query parameters (controlled by GODEBUG=urlmaxqueryparams=N) into account. This can permit ReverseProxy to forward a request containing a query parameter that is not visible to the Rewrite function.

For example, the query "a1=x&a2=x&...&a10000=x&hidden=y" can forward the parameter "hidden=y" while hiding it from the proxy's Rewrite function.

medium : CVE--2025--61730

Affected range>=1.25.0
<1.25.6
Fixed version1.25.6
EPSS Score0.276%
EPSS Percentile19th percentile
Description

During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake.

medium : CVE--2025--61724

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.526%
EPSS Percentile41st percentile
Description

The Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. When the number of lines in a response is large, this can cause excessive CPU consumption.

medium : CVE--2025--58189

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.443%
EPSS Percentile35th percentile
Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

medium : CVE--2025--58186

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.534%
EPSS Percentile41st percentile
Description

Despite HTTP headers having a default limit of 1MB, the number of cookies that can be parsed does not have a limit. By sending a lot of very small cookies such as "a=;", an attacker can make an HTTP server allocate a large amount of structs, causing large memory consumption.

medium : CVE--2025--58185

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.526%
EPSS Percentile41st percentile
Description

Parsing a maliciously crafted DER payload could allocate large amounts of memory, causing memory exhaustion.

medium : CVE--2025--47912

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.443%
EPSS Percentile35th percentile
Description

The Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. RFC 3986 permits IPv6 addresses to be included within the host component, enclosed within square brackets. For example: "http://[::1]/". IPv4 addresses and hostnames must not appear within square brackets. Parse did not enforce this requirement.

medium : CVE--2025--58183

Affected range>=1.25.0
<1.25.2
Fixed version1.25.2
EPSS Score0.419%
EPSS Percentile34th percentile
Description

tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A maliciously-crafted archive containing a large number of sparse regions can cause a Reader to read an unbounded amount of data from the archive into memory. When reading from a compressed source, a small compressed input can result in large allocations.

low : CVE--2026--27139

Affected range<1.25.8
Fixed version1.25.8
EPSS Score0.201%
EPSS Percentile10th percentile
Description

On Unix platforms, when listing the contents of a directory using File.ReadDir or File.Readdir the returned FileInfo could reference a file outside of the Root in which the File was opened.

The impact of this escape is limited to reading metadata provided by lstat from arbitrary locations on the filesystem without permitting reading or writing files outside the root.

critical: 1 high: 0 medium: 5 low: 0 golang.org/x/net 0.54.0 (golang)

pkg:golang/golang.org/x/net@0.54.0

# Dockerfile (272:272)
RUN set -o pipefail && curl https://getcroc.schollz.com | bash || curl https://getcroc.schollz.com | sed 's^croc_base_url="https://github.com/schollz/croc/releases/download"^croc_base_url="file://"^g' | bash

critical : CVE--2026--39821

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.344%
EPSS Percentile26th percentile
Description

The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error.

This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".

medium : CVE--2026--25680

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.248%
EPSS Percentile16th percentile
Description

Parsing arbitrary HTML can consume excessive CPU time, possibly leading to denial of service.

medium : CVE--2026--42506

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.188%
EPSS Percentile9th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--42502

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--27136

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

medium : CVE--2026--25681

Affected range<0.55.0
Fixed version0.55.0
EPSS Score0.178%
EPSS Percentile8th percentile
Description

Parsing arbitrary HTML which is then rendered using Render can result in an unexpected HTML tree. This can be leveraged to execute XSS attacks in applications that attempt to sanitize input HTML before rendering.

critical: 0 high: 0 medium: 5 low: 0 unspecified: 1jquery-ui 1.11.2 (npm)

pkg:npm/jquery-ui@1.11.2

# Dockerfile (258:258)
COPY --from=build /tmp/install /flightgear/script/dnc-managed/install

medium 6.5: CVE--2021--41184 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score42.847%
EPSS Percentile99th percentile
Description

Impact

Accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. For example, invoking the following code:

$( "#element" ).position( {
	my: "left top",
	at: "right bottom",
	of: "<img onerror='doEvilThing()' src='/404' />",
	collision: "none"
} );

will call the doEvilThing() function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the of option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41183 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score7.948%
EPSS Percentile94th percentile
Description

Impact

Accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	showButtonPanel: true,
	showOn: "both",
	closeText: "<script>doEvilThing( 'closeText XSS' )</script>",
	currentText: "<script>doEvilThing( 'currentText XSS' )</script>",
	prevText: "<script>doEvilThing( 'prevText XSS' )</script>",
	nextText: "<script>doEvilThing( 'nextText XSS' )</script>",
	buttonText: "<script>doEvilThing( 'buttonText XSS' )</script>",
	appendText: "<script>doEvilThing( 'appendText XSS' )</script>",
} );

will call doEvilThing with 6 different parameters coming from all *Text options.

Patches

The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML.

Workarounds

A workaround is to not accept the value of the *Text options from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.5: CVE--2021--41182 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.0
Fixed version1.13.0
CVSS Score6.5
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score37.788%
EPSS Percentile98th percentile
Description

Impact

Accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. For example, initializing the datepicker in the following way:

$( "#datepicker" ).datepicker( {
	altField: "<img onerror='doEvilThing()' src='/404' />",
} );

will call the doEvilThing function.

Patches

The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector.

Workarounds

A workaround is to not accept the value of the altField option from untrusted sources.

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2022--31160 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.13.2
Fixed version1.13.2
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score1.933%
EPSS Percentile78th percentile
Description

Impact

Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. If you call .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities, they will erroneously get decoded. This can lead to potentially executing JavaScript code.

For example, starting with the following initial secure HTML:

<label>
	<input id="test-input">
	&lt;img src=x onerror="alert(1)"&gt;
</label>

and calling:

$( "#test-input" ).checkboxradio();
$( "#test-input" ).checkboxradio( "refresh" );

will turn the initial HTML into:

<label>
	<!-- some jQuery UI elements -->
	<input id="test-input">
	<img src=x onerror="alert(1)">
</label>

and the alert will get executed.

Patches

The bug has been patched in jQuery UI 1.13.2.

Workarounds

To remediate the issue, if you can change the initial HTML, you can wrap all the non-input contents of the label in a span:

<label>
	<input id="test-input">
	<span>&lt;img src=x onerror="alert(1)"&gt;</span>
</label>

References

https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/

For more information

If you have any questions or comments about this advisory, search for a relevant issue in the jQuery UI repo. If you don't find an answer, open a new issue.

medium 6.1: CVE--2016--7103 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected range<1.12.0
Fixed version1.12.0
CVSS Score6.1
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score22.580%
EPSS Percentile97th percentile
Description

Affected versions of jquery-ui are vulnerable to a cross-site scripting vulnerability when arbitrary user input is supplied as the value of the closeText parameter in the dialog function.

jQuery-UI is a library for manipulating UI elements via jQuery.

Version 1.11.4 has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

Recommendation

Upgrade to jQuery-UI 1.12.0 or later.

unspecified : GMS--2016--46 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

Affected range<=1.11.4
Fixed version1.12.0
Description

jQuery-UI has a cross site scripting (XSS) vulnerability in the closeText parameter of the dialog function. If your application passes user input to this parameter, it may be vulnerable to XSS via this attack vector.

critical: 0 high: 0 medium: 1 low: 0 unspecified: 3libssh2-1t64 1.11.1-1 (deb)

pkg:deb/debian/libssh2-1t64@1.11.1-1?arch=s390x&distro=debian-13&upstream=libssh2

# Dockerfile (270:270)
RUN DEBIAN_FRONTEND=noninteractive apt-get update && apt --no-install-recommends install -y curl ca-certificates python3 python-is-python3 python3-pyqt5 libopengl0 && rm -rf /var/lib/apt/lists/* /var/cache/apt/*

medium : CVE--2026--7598

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.355%
EPSS Percentile27th percentile
Description

A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue.


unspecified : CVE--2026--55200

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.922%
EPSS Percentile56th percentile
Description

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2_transport_read() that fails to enforce upper bounds on packet_length field. Remote attackers can send crafted SSH packets with excessively large packet_length values to corrupt heap memory and achieve remote code execution.


unspecified : CVE--2026--55199

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.408%
EPSS Percentile33rd percentile
Description

libssh2 through 1.11.1, fixed in commit 1762685, contains a pre-authentication denial of service vulnerability in the SSH_MSG_EXT_INFO handler in src/packet.c that allows a malicious SSH server to cause a client CPU exhaustion loop by sending a crafted extension count value. A malicious server can set nr_extensions to 0xFFFFFFFF during key exchange, causing the client to spin in a tight CPU loop for over 60 seconds because return values from _libssh2_get_string() are unchecked and the session timeout does not apply to CPU-bound loops.


unspecified : CVE--2025--15661

Affected range<1.11.1-1+deb13u1
Fixed version1.11.1-1+deb13u1
EPSS Score0.267%
EPSS Percentile18th percentile
Description

libssh2 through 1.11.1, fixed in commit 2dae302, contains an out-of-bounds heap read vulnerability in the sftp_symlink() function in src/sftp.c that allows a malicious SSH server or man-in-the-middle attacker to disclose heap memory contents or cause a crash by sending a crafted SSH_FXP_NAME response. Attackers can supply a link_len value larger than the actual packet data in SSH_FXP_NAME responses for SFTP READLINK and REALPATH operations, triggering a heap buffer over-read of up to target_len minus one bytes due to the missing validation of available packet buffer size before the memcpy operation.


@github-actions

Copy link
Copy Markdown
Contributor

Recommended fixes for image (linux/s390x) jlp04/elevation-generator:latest

Base image is debian:latest

Name13.5
Digestsha256:cf26a338b2e8dc0f098eb1b34f5d0b57189d12dca0974b1fe37f59065f01bbe7
Vulnerabilitiescritical: 1 high: 2 medium: 3 low: 25 unspecified: 2
Pushed2 weeks ago
Size49 MB
Packages111
OS13.5
The base image is also available under the supported tag(s): 13, 13.5, trixie

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

✅ There are no tag recommendations at this time.

@github-actions github-actions Bot merged commit 9ae0340 into main Jun 30, 2026
33 of 39 checks passed
@github-actions github-actions Bot deleted the ws30 branch June 30, 2026 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

pr-pull This PR is ready to be merged, and the changes within are ready to be promoted to the `latest` tag

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant