{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:9eb63643-7a49-51c1-bc72-594c3b5134f1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40astrojs/rss@1.9.2", "type": "library", "name": "@astrojs/rss", "version": "1.9.2", "purl": "pkg:npm/%40astrojs/rss@1.9.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:44df4598-0272-5319-8d29-731d897645b8", "id": "CVE-2024-23331", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-23331 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:ee8bb277-8db0-5236-8294-8aeb239aa5da", "id": "CVE-2024-31207", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-31207 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:3a7f139d-5aea-5009-9298-b43ee642aeb0", "id": "CVE-2024-45811", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-45811 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:99489ea8-a9a3-5bce-9a95-c85795a78ec5", "id": "CVE-2025-24010", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-24010 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:fa8ae496-d9bc-5a54-b0ac-5c5e9a9b38d8", "id": "CVE-2025-30208", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-30208 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:9f59613a-436a-583b-b232-2f6638c87dd0", "id": "CVE-2025-31125", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-31125 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:2b87b277-3578-59eb-b441-1d10a292a1d7", "id": "CVE-2025-31486", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-31486 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:d1daa34d-45b1-5a63-989c-fad7c7639a27", "id": "CVE-2025-32395", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-32395 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:f447b5da-cf5f-51a7-a4e2-ecdcd56c4db5", "id": "CVE-2025-46565", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-46565 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:8324fd9a-2f71-5517-9bf6-f3fc59028c9b", "id": "CVE-2025-58751", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-58751 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:62171dd2-abdb-5b2f-8e4d-0788ee80188e", "id": "CVE-2025-58752", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-58752 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:72b892cf-0867-5bd1-ab62-2a3059b62883", "id": "CVE-2025-62522", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-62522 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:40066866-aede-5677-ab7d-4711d5e61218", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:ee383ab3-03a1-5223-9532-96ddf17b94e3", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:e6dfe4ec-37f4-5d78-8b50-6fcb1f431fa1", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:e8c341ef-af44-57fc-a1d6-cdee72fa836e", "id": "CVE-2026-45028", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45028 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:4c51085d-c15e-516c-a265-3de395190d10", "id": "CVE-2026-50146", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50146 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:68dcb5e3-6690-53c1-9991-6315deb55764", "id": "CVE-2026-53571", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-53571 does not affect version 1.9.2 of @astrojs/rss. not_affected \u2014 Astro's codebase does not contain the vulnerable file access control logic described in CVE-2026-53571. The vulnerability exists in Vite's dev server file-serving middleware, which is a declared dependency (package.json shows 'vite': '~3.2.5'). Astro delegates all request handling directly to Vite without implementing its own file access control or path normalization logic. The vulnerable code ..." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:3ed6a6f5-056e-598a-a1d4-ab9c70be7a22", "id": "CVE-2026-54298", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54298 affects version 1.9.2 of @astrojs/rss." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }, { "bom-ref": "urn:uuid:c8615d4c-a316-5c74-983b-6481b7668b45", "id": "CVE-2026-54299", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54299 does not affect version 1.9.2 of @astrojs/rss. not_affected \u2014 Astro version 1.9.2 is not affected by CVE-2026-54299. The vulnerability requires the prerendered error page HTTP fetching feature, which was introduced in Astro 5.12.9+. Version 1.9.2 renders all error pages in-process using the component system, not via HTTP fetch, eliminating the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40astrojs/rss@1.9.2" } ] }