{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:8bd09d70-eae4-5fb3-a01b-72b64c5311cc",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1",
      "type": "library",
      "name": "@astrojs/rss",
      "version": "4.16.19-tuxcare.1",
      "purl": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:a67ac431-18e9-55ae-a3b7-e5bcc7df23c3",
      "id": "AIKIDO-2025-10879",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability AIKIDO-2025-10879 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:15c34e35-e917-59d0-b187-e30988a2679f",
      "id": "CVE-2025-55303",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-55303 affects version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c87fbfe9-4ce2-5b90-ad4d-909f8fdfab3a",
      "id": "CVE-2025-61925",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-61925 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c2d25fc6-0cdd-5db5-a67f-78b8a312e7fd",
      "id": "CVE-2025-64525",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-64525 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:38545857-1fec-5d11-80ed-e0bff4f636e2",
      "id": "CVE-2025-64757",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-64757 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2a1ebedb-3566-5102-b1a7-d8d70bc7dcfb",
      "id": "CVE-2025-64764",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-64764 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7b4768fc-3b63-5e42-8a33-662ed5a84ccb",
      "id": "CVE-2025-64765",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-64765 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:87e1f1d4-b921-5416-b81d-59ca79161c26",
      "id": "CVE-2025-65019",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-65019 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9b013bfa-cc9d-5ab2-8ab0-2d3ab76ca7e9",
      "id": "CVE-2025-66202",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-66202 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f0cfaa4d-f84e-5e89-a9e9-c86cada74ac4",
      "id": "CVE-2026-32887",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-32887 is a false positive for @astrojs/rss 4.16.19-tuxcare.1. false_positive \u2014 CVE-2026-32887 concerns the Effect framework (TypeScript framework with RpcServer/HttpApp APIs), but the target repository is Astro (a website build tool). These are completely different projects with no dependency relationship. This is a wrong-project match."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3127c242-b563-5d8c-8467-f4d50e15ba5a",
      "id": "CVE-2026-33128",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-33128 is a false positive for @astrojs/rss 4.16.19-tuxcare.1. false_positive \u2014 CVE-2026-33128 concerns H3 framework, but the target repository is Astro framework. This is a wrong-project match with no code relationship between the two projects."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:386aa11d-4174-51df-bee0-4db680b99332",
      "id": "CVE-2026-33131",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-33131 is a false positive for @astrojs/rss 4.16.19-tuxcare.1. false_positive \u2014 CVE-2026-33131 concerns the H3 framework, but the target repository is Astro (version 4.16.19-tuxcare.1), a completely different web framework. H3 is not used as a dependency, not vendored in the source tree, and the affected components (NodeRequestUrl, FastURL) do not exist in this codebase. This is a wrong-project match."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3eadc00c-93e4-56fd-87fb-44f86960426a",
      "id": "CVE-2026-33490",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-33490 is a false positive for @astrojs/rss 4.16.19-tuxcare.1. false_positive \u2014 CVE-2026-33490 concerns H3 (a minimal HTTP framework), but the target repository is Astro (a website build tool). H3 is not present in this repository - no vendored code, no dependency, no imports. The only 'h3' references found are HTML heading components (<h3> tags), unrelated to the H3 framework."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:55be9689-b1c9-57ff-bc12-8c3bfd9e82c9",
      "id": "CVE-2026-33769",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-33769 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:217d67c6-10dd-50b5-bc31-4171aa1a5815",
      "id": "CVE-2026-41067",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-41067 is fixed in version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d9b16ee8-b877-575f-a7e8-70bb82bf15d7",
      "id": "CVE-2026-45028",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-45028 affects version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:704b7425-37e9-5861-8833-41a470b2c59b",
      "id": "CVE-2026-50146",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50146 affects version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7173d046-5566-52c9-a1dd-846a50f6deca",
      "id": "CVE-2026-54298",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54298 affects version 4.16.19-tuxcare.1 of @astrojs/rss."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4972103a-db92-54ae-9569-7799dbb265b9",
      "id": "CVE-2026-54299",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54299 does not affect version 4.16.19-tuxcare.1 of @astrojs/rss. already_fixed \u2014 The target repository has already fixed this vulnerability via CVE-2026-25545 / AIKIDO-2025-10879 (May 7, 2026), which addresses the identical SSRF issue. The fix removes the prerendered error page fetching feature entirely, replacing it with direct SSR rendering. This is a more aggressive mitigation than the upstream's host validation approach."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:667db1db-322a-50bd-8884-8a90b0d01ace",
      "id": "GHSA-4hxc-9384-m385",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability GHSA-4hxc-9384-m385 is a false positive for @astrojs/rss 4.16.19-tuxcare.1. false_positive \u2014 Wrong-project match: CVE GHSA-4hxc-9384-m385 concerns the h3 package's EventStream SSE injection vulnerability, but the target repository is Astro (version 4.16.19-tuxcare.1), a completely different web framework. The h3 package and its affected component are entirely absent from this repository."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b57d36a6-f4bf-5072-97d5-4a835f041c67",
      "id": "GHSA-q5pr-72pq-83v3",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability GHSA-q5pr-72pq-83v3 is a false positive for @astrojs/rss 4.16.19-tuxcare.1. false_positive \u2014 This is a wrong-project match. The CVE GHSA-q5pr-72pq-83v3 concerns h3's chunked cookie handling vulnerability, but this repository is Astro (a website build tool), which does not use h3 or contain any h3 code."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ddbe5065-9446-5eb1-bb95-cc8aa659d147",
      "id": "GHSA-wr4h-v87w-p3r7",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 is a false positive for @astrojs/rss 4.16.19-tuxcare.1. false_positive \u2014 This advisory (GHSA-wr4h-v87w-p3r7) concerns the h3 library's serveStatic() function, but the target repository is Astro, a completely different web framework. The h3 library is not present in this repository in any form - not as the project itself, not as a vendored/bundled dependency, and not as a declared dependency."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40astrojs/rss@4.16.19-tuxcare.1"
    }
  ]
}