By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2021-41183

Cross-Site Scripting
Affects
jQuery UI
in
jQuery
No items found.
Versions
<1.13.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

jQuery UI is a user interface library built on top of jQuery, providing a collection of widgets, interactions, effects, and themes for building rich, interactive web applications.

A moderate-severity Cross-Site Scripting (XSS) vulnerability (CVE-2021-41183) has been identified in jQuery UI. The Datepicker widget's text option handling could allow attackers to inject malicious scripts through unescaped user-supplied content in the appendText, buttonText, prevText, nextText, currentText, and closeText options, leading to arbitrary code execution.

Per OWASP: Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user.

Details

Module Info

Vulnerability Info

This moderate-severity vulnerability is found in jQuery UI versions less than 1.13.0. See the affected versions above for specific details.

The vulnerability affected six text options in the Datepicker widget:

  • appendText used HTML string concatenation in the _attachments method, allowing script injection through text displayed after the input field.
  • buttonText rendered trigger button text using the .html() method without escaping, enabling XSS through the button label.
  • prevText constructed previous month navigation links via HTML string building, allowing injection in navigation controls.
  • nextText constructed next month navigation links via HTML string building, allowing injection in navigation controls.
  • currentText built "Today" button HTML through string concatenation, enabling XSS in the button panel.
  • closeText built "Close" button HTML through string concatenation, enabling XSS in the button panel.

This vulnerability could be exploited by:

  • providing crafted content in text options containing script tags or event handlers
  • injecting malicious payloads like <script>alert(document.cookie)</script> through any of the six text options
  • exploiting applications that populate these options from user-controlled data sources

Mitigation

jQuery UI version 1.8.x is End-of-Life and will not receive any updates to address this issue from the jQuery team.

Users of the affected Datepicker widget should apply one of the following mitigations:

  • Upgrade affected applications to jQuery UI 1.13.0 or later.
  • Validate and sanitize any values from untrusted sources before passing them to the Datepicker.
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Pink arrow
Pink arrow
CVE-2015-9251
CVE-2019-11358
CVE-2020-11022
CVE-2020-11023
CVE-2020-7656
CVE-2021-41182
CVE-2010-5312
CVE-2021-41184
CVE-2021-41183
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2021-41183
PROJECT Affected
jQuery UI
Versions Affected
<1.13.0
NES Versions Affected
Published date
January 27, 2026
≈ Fix date
January 26, 2026
Fixed in
NES for jQuery
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Cross-Site Scripting
Sign up for the latest vulnerability alerts fixed in
NES for jQuery
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.