GHSA-h6gj-6jjq-h8g9 · Severity: medium · Ecosystem: npm — jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label
jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling `.checkboxradio( "refresh" )` on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the `label` in a `span`.
Conclusion & alert: CVE-2022-31160 is rated High Exploit Risk (62.3/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 1.90%). Core evidence: 1 public exploit reference(s) are indexed (Exploit-DB). Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 5.87% | 1.90% | -3.98% |
| 2 | 2026-06-13 | 7.76% | 5.87% | -1.89% |
| 3 | 2026-05-06 | — | 7.76% | — |
Full EPSS history (58 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.1 | 3.1 | MEDIUM |
|
2.8 | 2.7 | [email protected] |
| 6.1 | 3.1 | MEDIUM |
|
2.8 | 2.7 | [email protected] |
GHSA-h6gj-6jjq-h8g9 · Severity: medium · Ecosystem: npm — jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2022-31160 not yet assigned priority: Debian including 1 source packages (jqueryui), 5 status rows across 5 suites (bookworm, bullseye, forky, sid, trixie): resolved 5. | https://security-tracker.debian.org/tracker/CVE-2022-31160 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2022-31160 |
suse
|
medium | CVE-2022-31160 severity moderate: SUSE including 6 source package names (pgadmin4, pgadmin4-cloud, pgadmin4-desktop, pgadmin4-doc, pgadmin4-web-uwsgi, system-user-pgadmin), 6 product×package rows across 1 product lines (openSUSE Leap 15.6): Known Not Affected 6. | https://www.suse.com/security/cve/CVE-2022-31160/ |
ubuntu
|
medium | CVE-2022-31160 medium priority: Ubuntu including 1 source packages (jqueryui), 13 status rows across 13 suites (bionic, focal, jammy, kinetic, lunar, mantic, noble, oracular, plucky, questing, trusty, upstream, xenial): not-affected 8, released 4, ignored 1. | https://ubuntu.com/security/CVE-2022-31160 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| jqueryui | jquery_ui | < 1.13.2 | cpe:2.3:a:jqueryui:jquery_ui:*:*:*:*:*:jquery:*:* |
| netapp | h300s_firmware | — | cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:* |
| netapp | h500s_firmware | — | cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:* |
| netapp | h700s_firmware | — | cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:* |
| netapp | h410s_firmware | — | cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:* |
| netapp | h410c_firmware | — | cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:* |
| netapp | oncommand_insight | — | cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:* |
| drupal | jquery_ui_checkboxradio | 8.x-1.0 | cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.0:*:*:*:*:drupal:*:* |
| drupal | jquery_ui_checkboxradio | 8.x-1.1 | cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.1:*:*:*:*:drupal:*:* |
| drupal | jquery_ui_checkboxradio | 8.x-1.2 | cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.2:*:*:*:*:drupal:*:* |
| drupal | jquery_ui_checkboxradio | 8.x-1.3 | cpe:2.3:a:drupal:jquery_ui_checkboxradio:8.x-1.3:*:*:*:*:drupal:*:* |
| fedoraproject | fedora | 35 | cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:* |
| fedoraproject | fedora | 36 | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* |
| fedoraproject | fedora | 37 | cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:* |
| debian | debian_linux | 10.0 | cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://blog.jqueryui.com/2022/07/jquery-ui-1-13-2-released/ | Release Notes Vendor Advisory |
| https://github.com/jquery/jquery-ui/commit/8cc5bae1caa1fcf96bf5862c5646c787020ba3f9 | Patch Third Party Advisory |
| https://github.com/jquery/jquery-ui/security/advisories/GHSA-h6gj-6jjq-h8g9 | Exploit Mitigation Release Notes Third Party Advisory |
| https://lists.debian.org/debian-lts-announce/2022/12/msg00015.html | Mailing List Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6XBR3G3JR5ZIOJDO4224M3INXDS2VFDD/ | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/J5LGNTICB5BRFAG3DHVVELS6H3CZSQMO/ | |
| https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QB2FJQXCNHO32VGVOC6DY6IPGVE4VDU6/ | |
| https://security.netapp.com/advisory/ntap-20220909-0007/ | Third Party Advisory |
| https://www.drupal.org/sa-contrib-2022-052 | Third Party Advisory |