How to Fix jQuery UI Vulnerabilities: Resolving CVEs in Outdated Versions

jQuery UI powers millions of websites. It provides the datepickers, dialogs, drag-and-drop interactions, and autocomplete fields that users interact with daily,  often without anyone on the development team giving it a second thought.

The jQuery UI project itself is alive and well. Version 1.14.2 is the current stable release, with compatibility all the way up to jQuery 4.0. But here's the problem: the jQuery UI maintainers have been clear that the project is in maintenance mode, and older version lines like 1.8.x, 1.12.x, and 1.13.x are no longer supported. That means no security patches, no backports, and no fixes - even for known, exploitable XSS vulnerabilities.

If your application is pinned to one of those older versions, and statistically, there's a good chance it is, you have unpatched cross-site scripting vulnerabilities sitting in production right now.

This post covers the current state of jQuery UI, the specific CVEs that affect older versions, the breaking changes that make upgrading to 1.14 difficult, and how HeroDevs Never-Ending Support (NES) for jQuery UI provides a way to get secure without the disruption of a full migration.

‍

jQuery UI Is Still Everywhere - and Most of It Is Outdated

jQuery remains the most widely deployed JavaScript library on the web. W3Techs data shows it running on roughly 75% of all websites, and npm download stats put the jquery-ui package at over 570,000 weekly downloads. Snyk classifies jquery-ui as an "Influential project" based on its sustained download volume.

The 2025 Open Source Security and Risk Analysis (OSSRA) report found jQuery present in 32% of all scanned codebases, making it the single most commonly used vulnerable component. Eight of the top ten high-risk vulnerabilities in the entire report were jQuery-related. And 90% of the jQuery instances found were more than four years out of date.

That last number is the critical one. jQuery UI 1.14 exists and it's patched - but the overwhelming majority of real-world installations aren't running it. They're running 1.8.x, 1.10.x, 1.11.x, 1.12.x, or 1.13.x, and those versions will not receive patches from the open-source project.

jQuery UI appears throughout enterprise software stacks. It ships bundled in Drupal core, it's a dependency of countless WordPress plugins, and major vendors including IBM, Telerik, and NetApp have issued security bulletins about jQuery UI vulnerabilities affecting their products. If your application was built between 2009 and 2020, there's a strong chance jQuery UI is in your dependency tree, even if nobody on your team remembers putting it there.

‍

The CVEs Affecting Older jQuery UI Versions

Older jQuery UI versions carry four known XSS vulnerabilities that the open-source project has addressed only in 1.13.0 and later. If you're on an earlier version, these remain unpatched in your codebase. These are the vulnerabilities that HeroDevs patches in its NES releases:

CVE-2021-41182 - Datepicker altField XSS: The Datepicker widget fails to properly sanitize its altField option. If this value originates from untrusted input, an attacker can inject and execute arbitrary JavaScript in the context of the victim's browser session. This enables session hijacking, cookie theft, and content manipulation. Fixed in jQuery UI 1.13.0. CVSS 6.1.

CVE-2021-41183 - Datepicker Text Options XSS: Multiple text options within the Datepicker widget - including button text and display strings - are also vulnerable to script injection when populated with untrusted data. Same attack surface, same potential impact. Fixed in jQuery UI 1.13.0. CVSS 6.1.

CVE-2021-41184 - Position Utility of Option XSS: The .position() utility's of option accepts user-supplied input without sufficient sanitization, enabling XSS through crafted selector strings. Because .position() is used internally by multiple jQuery UI widgets (Dialog, Autocomplete, Menu, Tooltip), this vulnerability has a wide impact radius. Fixed in jQuery UI 1.13.0. CVSS 6.1.

CVE-2010-5312 - Dialog title XSS: The Dialog widget's title option does not sanitize input before rendering it as HTML. This is one of the oldest known jQuery UI vulnerabilities, originally disclosed over a decade ago, and it remains unpatched in jQuery UI versions prior to 1.10.0. CVSS 6.1.

All four vulnerabilities allow remote attackers to execute scripts in a victim's browser within the security context of the hosting site. In practical terms, that means stolen authentication cookies, manipulated page content, phishing overlays, and lateral movement through session hijacking.

Enterprise vendors including IBM have rated the trio of 2021 CVEs at a CVSS of 7.2 in their own security bulletins, reflecting the elevated risk when these libraries are embedded in business-critical software where exploitation requires no authentication and can cross security boundaries.

‍

Why Upgrading to jQuery UI 1.14 Is Harder Than It Sounds

If the fix were simply "run npm update," this wouldn't be a problem. But jQuery UI has accumulated significant breaking changes across its major version lines, and each jump introduces real risk for applications that have been stable in production for years.

From 1.8.x to 1.12+: A complete API overhaul. jQuery UI 1.12 introduced API redesigns for Button, Buttonset, Dialog, Draggable, Droppable, Menu, Mouse, Resizable, Selectable, Sortable, Tabs, Tooltip, and Effects. While 1.12 and 1.13 include a backwards-compatibility layer (controlled by $.uiBackCompat), relying on that layer means your application is running deprecated code paths that could be removed at any time.

From 1.13.x to 1.14.x: The compat layer flips off by default. jQuery UI 1.14 reverses the default behavior: backwards compatibility with the 1.11 API is now disabled by default. If your code relied on legacy APIs that were silently supported in 1.13, upgrading to 1.14 will break things out of the box. You can re-enable it by setting $.uiBackCompat = true, but that's a temporary band-aid on APIs the project intends to remove.

Browser support drops sharply. jQuery UI 1.14 drops all support for Internet Explorer and Edge Legacy. Code that specifically handled those browsers has been deleted, not just deprecated. For organizations that still need to support IE11 users (government, healthcare, financial services), this is a non-starter.

jQuery Core version requirements tighten. jQuery UI 1.13 dropped support for jQuery 1.7 (minimum is now 1.8.0). jQuery UI 1.14 went further, dropping support for jQuery 1.7–1.11, 2.0–2.1, and 3.0–3.5. If your application is pinned to an older jQuery Core version, and many enterprise apps are, upgrading jQuery UI may require upgrading jQuery Core as well, which cascades into testing every jQuery plugin and interaction in your stack.

Additional breakage in 1.14. The bundled jQuery Color library jumped from v2 to v3, changing how color values are serialized (spaces after commas, rgba(0, 0, 0, 0) instead of transparent). Several private APIs were removed entirely: $.fn._form, $.ui.ie, $.ui.safeActiveElement, and $.ui.safeBlur. If any of your code or third-party plugins touch these internals, they will fail silently or throw errors.

This is the core problem: for teams on older versions, upgrading jQuery UI to 1.14 isn't just a package update. It's a migration project that requires regression testing across your entire UI surface area. For organizations on jQuery UI 1.8.x, it may be closer to a rewrite.

‍

What HeroDevs NES for jQuery UI Provides

HeroDevs Never-Ending Support (NES) for jQuery UI takes a different approach. Instead of asking you to upgrade to a version with different APIs, different browser support, and different jQuery Core requirements, NES delivers security patches directly into the version you're already running.

HeroDevs currently provides NES for three jQuery UI version lines:

‍

‍

The 1.8.x NES release is especially significant. The January 2026 release (version 1.8.26) backports fixes for all four CVEs, including the three 2021 XSS vulnerabilities and the decade-old Dialog title vulnerability, directly into the 1.8.x codebase. No API changes. No new jQuery Core requirements. No browser support changes. It's a secure drop-in replacement.

Installation is a one-line change to package.json plus an .npmrc entry pointing to the HeroDevs NES registry:

{
  "dependencies": {
    "jquery-ui": "npm:@neverendingsupport/jquery-ui@1.8.24-jquery-ui-1.8.26"
  }
}

‍

Run npm install, execute your existing integration tests, and you're patched.

‍

Who Needs This

If any of these describe your situation, jQuery UI NES is worth evaluating:

You're running jQuery UI older than 1.14. Versions 1.8.x through 1.13.x have known, unpatched XSS vulnerabilities, and the open-source project will not release fixes for those version lines. HeroDevs NES will.

Your security scanner is flagging jQuery UI CVEs. If Snyk, Qualys, Black Duck, or another scanner is flagging CVE-2021-41182, CVE-2021-41183, CVE-2021-41184, or CVE-2010-5312 against your application, NES resolves those findings with actual code fixes - not scanner exceptions or risk acceptance forms.

You need compliance with SOC 2, PCI DSS, FedRAMP, or the EU Cyber Resilience Act. These frameworks require timely remediation of known vulnerabilities. Running unpatched jQuery UI in production creates audit findings on your compliance report.

A full migration to jQuery UI 1.14 or a modern UI framework isn't in this quarter's roadmap. Migrating to the latest jQuery UI (with all the breaking changes that entails) or moving off jQuery UI entirely to React, Vue, or a headless component library is the right long-term play. But it takes months of engineering effort for most enterprise codebases. NES buys you time by making your current stack secure while you plan the migration on your own timeline.

‍

The Bottom Line

jQuery UI isn't dead, but the version you're probably running might as well be, from a security perspective. The project maintainers are focused on 1.14.x and beyond. If you're on 1.13.x or earlier, you're on your own for security patches. And if you're on 1.8.x, you're carrying four known XSS vulnerabilities that have been public knowledge for years.

HeroDevs NES for jQuery UI closes that gap. It delivers patched versions across the 1.8.x, 1.13.x, and 1.14.x lines, so you can resolve CVEs and pass audits without touching your application code.

If jQuery UI is in your stack, get in touch with HeroDevs to evaluate NES for your environment. You can also start a free trial of jQuery UI NES to validate compatibility with your application before committing.