{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:ec9c1141-f5b2-5d3d-9d5c-b1447a65d43d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40astrojs/webapi@1.9.2", "type": "library", "name": "@astrojs/webapi", "version": "1.9.2", "purl": "pkg:npm/%40astrojs/webapi@1.9.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f4b074dd-b92a-59d4-a614-69b57ec40620", "id": "CVE-2024-23331", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-23331 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:57ef81c3-ca2b-5a83-b2ff-83543a1521f6", "id": "CVE-2024-31207", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-31207 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:c7b1db0b-cdbe-5102-b671-634aa11a9c1b", "id": "CVE-2024-45811", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-45811 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:8a2c2013-a36f-5dcf-ab88-fcc5b5d9d568", "id": "CVE-2025-24010", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-24010 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:f7c6a4e9-51e3-5a01-a041-36c59897d123", "id": "CVE-2025-30208", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-30208 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:2e480716-7785-578b-a7d5-112a59fbcbd4", "id": "CVE-2025-31125", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-31125 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:4aae432e-cd81-52d1-94cc-407a09e10d1c", "id": "CVE-2025-31486", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-31486 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:18e96a6b-78a3-57b5-a05c-7703ca974ddb", "id": "CVE-2025-32395", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-32395 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:e10025c3-57ae-5a23-8fdd-2c0476a52b3a", "id": "CVE-2025-46565", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-46565 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:34bcb9e3-5f30-501a-9687-0f7468737d20", "id": "CVE-2025-58751", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-58751 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:7b795c70-0a6a-5f1d-b50d-c072aac33723", "id": "CVE-2025-58752", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-58752 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:b9f11bcd-4223-50b8-9fe6-4bcd6343bddf", "id": "CVE-2025-62522", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-62522 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:c68aa40a-35e0-5d0b-ab13-7aabe983d2b8", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:fc01753e-42b0-5b62-9248-040de47a77d2", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:faede273-f3b0-537e-9b4a-9588dbc9e5ce", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:b5df780c-4b02-540d-8455-bd27e0cc089b", "id": "CVE-2026-45028", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45028 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:c5a92b37-5d6f-5bc9-b9ad-ae3c167fd948", "id": "CVE-2026-50146", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50146 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:606a2539-ffce-5c1e-a7e8-488efd48cb3b", "id": "CVE-2026-53571", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-53571 does not affect version 1.9.2 of @astrojs/webapi. not_affected \u2014 Astro's codebase does not contain the vulnerable file access control logic described in CVE-2026-53571. The vulnerability exists in Vite's dev server file-serving middleware, which is a declared dependency (package.json shows 'vite': '~3.2.5'). Astro delegates all request handling directly to Vite without implementing its own file access control or path normalization logic. The vulnerable code ..." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:a3f3f7d6-197f-56a4-8098-fc6afe7b2e03", "id": "CVE-2026-54298", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54298 affects version 1.9.2 of @astrojs/webapi." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }, { "bom-ref": "urn:uuid:8f0a006e-57ca-5550-8c00-6f82c0e24ca9", "id": "CVE-2026-54299", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54299 does not affect version 1.9.2 of @astrojs/webapi. not_affected \u2014 Astro version 1.9.2 is not affected by CVE-2026-54299. The vulnerability requires the prerendered error page HTTP fetching feature, which was introduced in Astro 5.12.9+. Version 1.9.2 renders all error pages in-process using the component system, not via HTTP fetch, eliminating the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40astrojs/webapi@1.9.2" } ] }