{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:1ba26e1d-7dee-5ef9-9f98-7620597a7bd0", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40astrojs/db@4.16.19", "type": "library", "name": "@astrojs/db", "version": "4.16.19", "purl": "pkg:npm/%40astrojs/db@4.16.19" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b9fc9f20-1f68-5bce-bdf4-45ead0ede3ed", "id": "CVE-2025-55303", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-55303 affects version 4.16.19 of @astrojs/db." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:7ae17bed-04b3-5b6a-88a3-c3b27e3978a7", "id": "CVE-2026-32887", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-32887 is a false positive for @astrojs/db 4.16.19. false_positive \u2014 CVE-2026-32887 concerns the Effect framework (TypeScript framework with RpcServer/HttpApp APIs), but the target repository is Astro (a website build tool). These are completely different projects with no dependency relationship. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:bd3893f7-2522-5ff7-8591-3f3696a5d28a", "id": "CVE-2026-33128", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-33128 is a false positive for @astrojs/db 4.16.19. false_positive \u2014 CVE-2026-33128 concerns H3 framework, but the target repository is Astro framework. This is a wrong-project match with no code relationship between the two projects." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:ba697c3c-496b-503b-99e7-b2c9eaa1af82", "id": "CVE-2026-33131", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-33131 is a false positive for @astrojs/db 4.16.19. false_positive \u2014 CVE-2026-33131 concerns the H3 framework, but the target repository is Astro (version 4.16.19-tuxcare.1), a completely different web framework. H3 is not used as a dependency, not vendored in the source tree, and the affected components (NodeRequestUrl, FastURL) do not exist in this codebase. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:2d4a24ab-795f-56be-97a6-d578f491980a", "id": "CVE-2026-33490", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-33490 is a false positive for @astrojs/db 4.16.19. false_positive \u2014 CVE-2026-33490 concerns H3 (a minimal HTTP framework), but the target repository is Astro (a website build tool). H3 is not present in this repository - no vendored code, no dependency, no imports. The only 'h3' references found are HTML heading components (

tags), unrelated to the H3 framework." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:6e756444-802d-5b8c-ac67-2d68470c1c3d", "id": "CVE-2026-45028", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45028 affects version 4.16.19 of @astrojs/db." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:7d4b847e-7463-5ab7-a05d-0857febb1568", "id": "CVE-2026-50146", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50146 affects version 4.16.19 of @astrojs/db." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:20ae70da-627d-5f72-a21b-d08d1d5a3167", "id": "CVE-2026-54298", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54298 affects version 4.16.19 of @astrojs/db." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:5bb71680-e38b-57b3-8aad-a54065642e81", "id": "CVE-2026-54299", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54299 does not affect version 4.16.19 of @astrojs/db. already_fixed \u2014 The target repository has already fixed this vulnerability via CVE-2026-25545 / AIKIDO-2025-10879 (May 7, 2026), which addresses the identical SSRF issue. The fix removes the prerendered error page fetching feature entirely, replacing it with direct SSR rendering. This is a more aggressive mitigation than the upstream's host validation approach." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:9586f785-b7a6-5931-9305-d46f2b2581fe", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-4hxc-9384-m385 is a false positive for @astrojs/db 4.16.19. false_positive \u2014 Wrong-project match: CVE GHSA-4hxc-9384-m385 concerns the h3 package's EventStream SSE injection vulnerability, but the target repository is Astro (version 4.16.19-tuxcare.1), a completely different web framework. The h3 package and its affected component are entirely absent from this repository." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:84d6636f-73c6-54f7-9776-80636a2fa047", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 is a false positive for @astrojs/db 4.16.19. false_positive \u2014 This is a wrong-project match. The CVE GHSA-q5pr-72pq-83v3 concerns h3's chunked cookie handling vulnerability, but this repository is Astro (a website build tool), which does not use h3 or contain any h3 code." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }, { "bom-ref": "urn:uuid:00908357-6e21-5b66-bfd5-b6450d5b9f68", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 is a false positive for @astrojs/db 4.16.19. false_positive \u2014 This advisory (GHSA-wr4h-v87w-p3r7) concerns the h3 library's serveStatic() function, but the target repository is Astro, a completely different web framework. The h3 library is not present in this repository in any form - not as the project itself, not as a vendored/bundled dependency, and not as a declared dependency." }, "affects": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40astrojs/db@4.16.19" } ] }