jQuery UI is a third-party library used by Drupal. This library was previously thought to be end-of-life.
Late in 2021, jQuery UI announced that they would be continuing development, and released a jQuery UI 1.13.0 version. As part of this 1.13.0 update, they disclosed the following security issue that may affect Drupal 9 and 7:
CVE-2021-41184: XSS in the `of` option of the `.position()` util
It is possible that this vulnerability is exploitable with some Drupal modules. As a precaution, this Drupal security release applies the fix for the above cross-site description issue, without making any of the other changes to the jQuery version that is included in Drupal.
This advisory is not covered by Drupal Steward.
Install the latest version:
If you are using Drupal 9.3, update to Drupal 9.3.3.
If you are using Drupal 9.2, update to Drupal 9.2.11.
If you are using Drupal 7, update to Drupal 7.86.
All versions of Drupal 8 and 9 prior to 9.2.x are end-of-life and do not receive security coverage. Note that Drupal 8 has reached its end of life.
Chris of the Drupal Security Team
Drew Webber of the Drupal Security Team
Alex Bronstein of the Drupal Security Team
Ben Mullins
xjm of the Drupal Security Team
Théodore Biadala
More Stories
USN-7417-1: libdbd-mysql-perl vulnerabilities
It was discovered that libdbd-mysql-perl did not correctly handle certain SQL queries. An attacker could possibly use this issue to...
USN-7416-1: Kamailio vulnerabilities
Stelios Tsampas discovered that Kamailio did not correctly handle certain memory operations, which could lead to a buffer overflow. A...
podman-tui-1.5.0-1.fc42
FEDORA-2025-8a7d23116e Packages in this update: podman-tui-1.5.0-1.fc42 Update description: release 1.5.0 Read More
podman-tui-1.5.0-1.el10_1
FEDORA-EPEL-2025-6618927fc5 Packages in this update: podman-tui-1.5.0-1.el10_1 Update description: release 1.5.0 Read More
podman-tui-1.5.0-1.fc41
FEDORA-2025-f1d2ae375e Packages in this update: podman-tui-1.5.0-1.fc41 Update description: release 1.5.0 Read More
rust-below-0.9.0-1.el8
FEDORA-EPEL-2025-ae12e02519 Packages in this update: rust-below-0.9.0-1.el8 Update description: A privilege escalation vulnerability existed in the Below service prior to v0.9.0...