{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0d8fc4e2-adff-5e56-ae89-7c42e01107be", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3", "type": "library", "name": "@nuxt/kit", "version": "4.0.3-tuxcare.3", "purl": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:aab7bc98-3c81-5bac-a2c4-c5f4cd9a14cc", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d5acc084-1191-5215-ad10-5ab5e85faddc", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:064dce41-649e-5ac3-a4e0-e9a07f86f9df", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fc3b99b1-cdcf-5c15-abd4-bc52d92c2557", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a634244f-0021-599e-ac24-aa4f68280442", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dca75a09-a8f7-5a18-b461-c948a460aa1d", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6ab0310a-f5fd-5f94-874e-62818057ae34", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b33364e1-959b-5ebb-a6da-1e203820c78d", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:22eb9d9c-b067-5ed4-90e4-fa4cfab2f24d", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9dd310d9-dde9-5046-a819-3c8153ee409d", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c5dfed74-c3c0-5f37-a418-ed31214a75b6", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6f4fd8e3-3554-5bd1-a115-f9210609512a", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4c5640ae-48a2-5781-898c-3a29b1da3f2d", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ed9c9c19-da8a-5103-8006-aae49b135cc9", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f0ad2c63-2255-5a6b-b1c2-eb2974d9ccef", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/kit 4.0.3-tuxcare.3. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5593845e-eeb1-52cc-b019-83312a71d9b4", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fef4a133-448d-596c-88b3-4264bcc44d73", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3e3976b5-93f8-52bb-9c9b-b4a0353f01a2", "id": "CVE-2026-45669", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-45669 is fixed in version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a94c8b59-46d0-5004-956c-8f75f7000322", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b5b64ee8-02a7-5def-ac1e-4c3fce5e6ca2", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/kit 4.0.3-tuxcare.3. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5bc4cfc9-8f78-56be-a432-81b440ab610f", "id": "CVE-2026-46342", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-46342 is fixed in version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7d71c915-4da3-575b-905f-942f88ea072d", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:49335941-cfb6-56f3-bff2-5b5ca1d3c076", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:84011a51-7c0a-5a5f-aad8-9c5b60121071", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:42c28324-81a8-55ca-b6b3-c2a911adad40", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:75d1a330-a619-5821-b13e-ec94b411b3ab", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:22906b35-fdbd-5a70-ad34-601a93a9f9c2", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/kit 4.0.3-tuxcare.3. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:68e8bc72-9f3e-543d-82a1-feb9b698c8a8", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9486f4c8-9fbc-5f42-9292-04a3846a5eb3", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1f3e9be3-4840-55cb-beac-23dfa89abae1", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c7364283-31c0-5830-9254-a0ad78b42742", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:46843722-8338-5406-b0c7-6bfeb40e5c40", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.3 of @nuxt/kit. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:43c66dab-c493-5980-94f0-b8d0fe6cbef6", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4c51afbd-eaa7-5555-aa1b-83b0d7edd23a", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4815179d-8b7c-582c-be30-401b40b3f731", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d1f1a96a-fbfd-5a8c-836a-c7f99fb52470", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c9dbb728-6a06-5784-8823-5fe96b91a2f8", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c80a9296-17c6-5e0a-9977-9a98f1ff433f", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.3 of @nuxt/kit." }, "affects": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/kit@4.0.3-tuxcare.3" } ] }