{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0d20e8f7-be8f-5cbf-8869-7afb007c2351", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1", "type": "library", "name": "@nuxt/rspack-builder", "version": "4.0.3-tuxcare.1", "purl": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:9ed8f304-afc9-5f2f-b810-2100061209f9", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:da7396f7-d2af-5453-98f2-ab545d902cd7", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8cca15a7-79ff-52fc-87d1-4bd598ba3cac", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2a95a2a4-1306-5067-a996-bd2281439e6b", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d5df7d85-6a9c-5116-86e1-a922e75ea3e7", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6d99e075-a8b7-5cfe-b7e5-a90044e15813", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1a2d5c93-7982-5f06-9dd9-8a2515b6a9c6", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:951c29be-cf7e-5292-aa37-cbd8cca4de1a", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:70255336-81c2-5cb8-a6c8-74958e1833d3", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5d6fc8eb-8e54-5a25-a3ab-cb20347e992a", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1934a19d-6e04-58ee-bc1c-17ab7f0c535f", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:510312b5-e2c8-5086-adf0-20375758403b", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5a67b27c-302b-5da7-82c2-d8c2e9c8dd48", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:94b755a5-328b-5a28-83cc-e01ab0f20995", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d9a8971c-3704-5cd5-ab88-6056f71348b6", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/rspack-builder 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a7ad80ed-fa18-5de7-9a53-cd3a95ae9f47", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8c826ae1-fe64-5828-bc38-029783b4835c", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f05de269-a9e7-5cae-b8b2-0970e767fbd6", "id": "CVE-2026-45669", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45669 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a44342f2-fbdc-5b60-b7d8-396053ce64e3", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ea9afdbe-cad8-5915-a1b7-15ad399f3221", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/rspack-builder 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a569797f-6dbb-5a3e-810f-4c8b7e547d55", "id": "CVE-2026-46342", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46342 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:760994a7-c267-52b8-a604-3bfb008da334", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0928203d-ead7-53f0-b6e6-ba914d9e1960", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c37b0c5e-9f14-598a-91ec-0fe90b840970", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f70d22e5-5ee7-50d6-88e9-eca05ba2246d", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:aa493835-7d5d-5cb9-865f-7bea4bf7b1dd", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b661f9b0-f633-5454-bee8-ef6e87516dbb", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/rspack-builder 4.0.3-tuxcare.1. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b879d1d7-2906-5e21-8926-7a5e77783f5b", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:201df6d9-834f-55a8-93f5-8dae09eb36ef", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:867fb4a8-8de7-56b8-a2bb-337c001e21f0", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7d483ac6-1f1f-5562-a5f0-cb45d9a4588b", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ff5d8254-5f30-5d94-9589-1dcefd8722ad", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.1 of @nuxt/rspack-builder. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e0bf0759-f444-50f6-afa2-50ff8514f7df", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f3f1aa83-7a02-5379-a434-30d95db7949b", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:43e90d4a-d5bd-5388-bb47-f08bb397407a", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c534502f-13fb-5a60-98c7-d325b8ddea75", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a35b457a-69a3-5def-97e8-7b2aec419a23", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:66f42588-659b-5c30-abeb-894b8b9e4b80", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.1 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.1" } ] }