{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:76091014-8117-5e49-9018-a55847dc73b7", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2", "type": "library", "name": "@nuxt/kit", "version": "4.0.3-tuxcare.2", "purl": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fd294d46-33c4-5625-9228-e54292a4b5d2", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:baf92069-a17f-5c89-bea8-75acbe22a324", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:bac7a2c9-b050-5499-8afa-2b84dd18fad0", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d148a2d6-38c1-5351-b9f8-49fc29be5297", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:be3607d5-1502-5217-9a51-22d9eda852fd", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0ed4d23d-e8e1-5dc7-b0a7-cea67b1df9dd", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:18c41dbe-1bdb-5777-8483-9d0544cd6231", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1b59c437-a38a-52ae-8544-0b3ac4a30102", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e9b94c5b-a269-5d9d-8873-f2f4d672b878", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:97ff4046-ec70-5895-a9d9-e55f20166c66", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:252e0ead-554f-59ff-ae1e-3f910620b4fc", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7a219f48-17ac-58d8-adae-07586534f751", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:97504710-2811-571a-9a7a-b31d8a491177", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:aa2f55cb-f2d5-529b-913d-c8ff010d8fb3", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:09e347c4-04d5-5efe-922b-ce1e8c3cd2f0", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/kit 4.0.3-tuxcare.2. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e1eae4be-3a21-59cb-a08a-7b7c3c77791a", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4e944bdb-f60a-50c3-ab7c-981db4743e37", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:80d36aab-9eb6-5bcb-94e4-7af6035cbfe4", "id": "CVE-2026-45669", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45669 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:416b4c2a-1715-5d01-80ea-edd228ed12a4", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8416e3eb-227d-5fe8-8058-4bff5347c2bc", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/kit 4.0.3-tuxcare.2. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:020059ca-65f8-5c44-93c0-96b15661900c", "id": "CVE-2026-46342", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46342 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:90a9ec7f-d143-546d-941f-97e4f7fa816d", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3098507c-1c20-5942-b678-438c936ce45f", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ce1a53fb-9b9d-52fe-a7c7-1441c466d5a7", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:edd79d1c-db7f-5899-9ae8-499dad700fcf", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:364207f0-3dbd-578a-984d-4ec28452fc41", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:32303327-5dbb-5ac5-b175-425920ff40a7", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/kit 4.0.3-tuxcare.2. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4b280f06-dd07-5cd9-a9c6-45041153fb5e", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:28ae9f4b-14dd-531d-8406-27a7a3e009de", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:46bc0718-a7e3-540a-acec-826e7d126374", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5737b4b6-78bd-5521-8aab-a82d41290e28", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3077364b-0e38-57b2-b93d-e4e61d7e3c7e", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.2 of @nuxt/kit. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4c1d1519-1e02-5d0a-8631-1b965d7511be", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b5830a4e-5b05-500a-b749-4ced9adf0f8d", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3fd326a2-fe99-5b23-b4e1-cd77ec354040", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1add28d2-15ff-512b-8996-a1fc21c68cd8", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5d336a25-245a-5df5-b235-bca996c2e6ef", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e591fc12-7987-5949-84a9-8e7caa65afeb", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.2 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.2" } ] }