{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:170b7fde-934c-5f2e-b2ed-abf0a92e1608",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1",
      "type": "library",
      "name": "@nuxt/kit",
      "version": "4.0.3-tuxcare.1",
      "purl": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:5192fae8-729d-5d7d-beb3-9341a90c8650",
      "id": "CVE-2022-21670",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c28b85a8-a7db-5c84-b1d6-505298ea2aa3",
      "id": "CVE-2022-25852",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:df8e464c-7a22-5af1-9932-e3d55c25c90b",
      "id": "CVE-2025-59414",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3bb94ceb-95f9-5513-a468-b684ab578980",
      "id": "CVE-2026-25128",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:421fc4e1-dd19-537c-8a32-3b61553e060f",
      "id": "CVE-2026-32887",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b8b1fff0-3df6-5bd6-bc8d-dbde6391a7c4",
      "id": "CVE-2026-33128",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9381d245-5b0f-56f8-b7d7-e30e2f3c4f73",
      "id": "CVE-2026-33129",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:37f46249-deec-5a36-a124-abb142781439",
      "id": "CVE-2026-33131",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3e3f67bc-db7f-5f7e-9424-54354ba68abf",
      "id": "CVE-2026-33490",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ca32e1ef-2a88-54e6-8911-5e089142b363",
      "id": "CVE-2026-39363",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ff62daf5-d0e4-5a2c-afb2-2b7628019a74",
      "id": "CVE-2026-39364",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0c7e368c-9bfa-53c4-99db-5f112d2f6905",
      "id": "CVE-2026-39365",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:673a8f4d-2b12-5d8a-acfd-0cd66047309a",
      "id": "CVE-2026-39406",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b956ecf2-57a5-5435-92a5-357807a765bf",
      "id": "CVE-2026-41305",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ad3a2d9f-0897-509d-ae84-68a72033626c",
      "id": "CVE-2026-42338",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/kit 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8d4607db-ce9c-552f-8d17-6f121b5f0372",
      "id": "CVE-2026-44372",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ba54211a-047f-51aa-9c5b-b5d2e114cd35",
      "id": "CVE-2026-44373",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:80c9791c-1812-5534-ad98-22bbe6934f15",
      "id": "CVE-2026-45669",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-45669 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c642c0c8-3e5f-5a9a-8d2f-c8b678c05f3b",
      "id": "CVE-2026-45670",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e5ec70df-5ca9-5387-a798-15d8035c6147",
      "id": "CVE-2026-45736",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/kit 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4e96d986-168e-549c-9e6c-31afd9d515c5",
      "id": "CVE-2026-46342",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46342 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5ac12d1e-123a-5a0b-8350-18f796ad32c5",
      "id": "CVE-2026-47200",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ead592c8-3f91-5c58-aace-abafb9c1d16b",
      "id": "CVE-2026-49993",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d2def43e-6170-5c74-8fe9-811ddd91120c",
      "id": "CVE-2026-53571",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c038ba60-0440-5407-a6fe-ae8ba5769b3b",
      "id": "CVE-2026-53721",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2e2b11b5-f228-5a3e-9b10-802f9b8ccd6b",
      "id": "CVE-2026-53722",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:faeddd58-e0e8-5500-b3c2-9a4f36ce6093",
      "id": "CVE-2026-54285",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/kit 4.0.3-tuxcare.1. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e78a65e6-abd2-5cab-be39-ee98fc387e76",
      "id": "CVE-2026-56326",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e4c58168-8728-55fb-abcd-71c7ea93171f",
      "id": "GHSA-4hxc-9384-m385",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f71f6ab1-65c8-5523-b29f-a0c78f599184",
      "id": "GHSA-534h-c3cw-v3h9",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d0c3f216-8bff-5cf2-8420-538b3446030b",
      "id": "GHSA-c9cv-mq2m-ppp3",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:eb637d5c-b288-510c-8e0c-b73a80cfd282",
      "id": "GHSA-gv7w-rqvm-qjhr",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.1 of @nuxt/kit. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6425c5b1-cac8-5b79-a67b-e16bd9cff5de",
      "id": "GHSA-m3q2-p4fw-w38m",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8bd36151-ec0f-535a-86d2-87c618012a12",
      "id": "GHSA-q5pr-72pq-83v3",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5946c9c9-87a9-5700-a1fb-d59445d0ff54",
      "id": "GHSA-rq7w-g337-39qq",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cc889fda-7c08-5578-ae53-58bf85d619e2",
      "id": "GHSA-w5hq-g745-h8pq",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:30fdb6f4-9ad1-5cee-a885-b479a09ce00f",
      "id": "GHSA-wr4h-v87w-p3r7",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e55b38c7-686c-5ed5-8c71-7f8737c39327",
      "id": "GHSA-x7mm-9vvv-64w8",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.1 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.1"
    }
  ]
}