{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:50f54029-2708-5f9a-93e2-668944caba2d",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40nuxt/kit@4.0.3",
      "type": "library",
      "name": "@nuxt/kit",
      "version": "4.0.3",
      "purl": "pkg:npm/%40nuxt/kit@4.0.3"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:18989528-beff-5030-b1f0-67445d9612e5",
      "id": "CVE-2022-25852",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f5e38751-0b99-501b-bd22-a091bbfbf164",
      "id": "CVE-2026-25128",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a31b53f8-54dd-50a0-b74e-99d17110591c",
      "id": "CVE-2026-32887",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7534c63a-b212-559c-bd12-4f481248a2e4",
      "id": "CVE-2026-33128",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c2cb61f9-a6f6-561e-835d-44e3369ea913",
      "id": "CVE-2026-33129",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1b4485b3-4edb-5e7d-98bc-bebb6d3cecaa",
      "id": "CVE-2026-33131",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ab57284e-d5e4-5f8b-87c4-02dba9bb65d2",
      "id": "CVE-2026-33490",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0571b43a-69b0-55d2-825e-bae29c3838e6",
      "id": "CVE-2026-39363",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ca7eeb3c-3114-59ab-a3b4-00dd5b12b7f4",
      "id": "CVE-2026-39364",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0533c197-07a1-5821-8109-3773c42914ed",
      "id": "CVE-2026-39365",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6c81b469-a84c-52fe-8a17-0ce77bcb0817",
      "id": "CVE-2026-39406",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6330b581-5761-5cbb-8bbe-b2eb49520c44",
      "id": "CVE-2026-41305",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6878f0a5-f8b8-530c-98af-527b74a738e4",
      "id": "CVE-2026-42338",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/kit 4.0.3. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:aacb244f-d8b3-54fb-b262-13e2453eb28a",
      "id": "CVE-2026-44372",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2a29682f-535d-529e-855d-79cb0340b21a",
      "id": "CVE-2026-44373",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:bcac0e91-5bb5-5978-bf8b-1fdaf278efb6",
      "id": "CVE-2026-45670",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:bb20b12e-759b-54a8-a28d-6b98adbf5f21",
      "id": "CVE-2026-45736",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/kit 4.0.3. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:938f60fa-5d61-5752-a982-ad40e8ee2346",
      "id": "CVE-2026-47200",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f2646456-e9f4-56bd-820a-fefb745433f5",
      "id": "CVE-2026-49993",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d9c92eec-a157-53a6-b89f-e9939236cc15",
      "id": "CVE-2026-53571",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b31c689d-f1e9-5e88-9114-2c3a32c39e30",
      "id": "CVE-2026-53721",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e825f786-0550-5d70-8ee8-831d06c6ea07",
      "id": "CVE-2026-53722",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:dcc5a0a4-f28c-55f0-97f5-14f4ebfb35de",
      "id": "CVE-2026-54285",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/kit 4.0.3. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cb4dba5c-19b5-56d1-861b-09a987348ad1",
      "id": "CVE-2026-56326",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:32f89507-1efd-58c7-a478-e7ea4296d9f6",
      "id": "GHSA-4hxc-9384-m385",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:69e6a0d5-d613-576c-8dd0-8b612710b536",
      "id": "GHSA-534h-c3cw-v3h9",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:446d0fcb-d1c0-5fc1-90b1-3d7ed93b65d5",
      "id": "GHSA-c9cv-mq2m-ppp3",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:80ca90ac-b4c9-5e9e-b78b-c800fcca6afd",
      "id": "GHSA-gv7w-rqvm-qjhr",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3 of @nuxt/kit. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:201ef335-7a69-5f9f-86c1-5270cd88cfed",
      "id": "GHSA-m3q2-p4fw-w38m",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:80c597b4-1bcd-56f2-b794-1ebb9d3b35d4",
      "id": "GHSA-q5pr-72pq-83v3",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:277a73bb-f616-535e-985b-d383ff7bd6dd",
      "id": "GHSA-rq7w-g337-39qq",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4f9ca54e-ae62-55d2-8652-fcc6313c21c6",
      "id": "GHSA-w5hq-g745-h8pq",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e6651297-f1fd-50c7-b0dc-c4293c891b84",
      "id": "GHSA-wr4h-v87w-p3r7",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:babf0db2-157e-55c5-b01f-27d5b703bc58",
      "id": "GHSA-x7mm-9vvv-64w8",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3 of @nuxt/kit."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40nuxt/kit@4.0.3"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40nuxt/kit@4.0.3"
    }
  ]
}