{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c6fb3eda-e61e-5a1b-816c-ee24d825744f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2", "type": "library", "name": "@nuxt/rspack-builder", "version": "4.0.3-tuxcare.2", "purl": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d60600e3-3736-53b5-805c-42fef3022850", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:324b8d09-f675-516f-b9eb-2b4a1f4570d6", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fe4d3a33-fa11-56bf-8024-0b7e16dda2ec", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c5825029-4296-5edb-9bf8-07afdef0d9f5", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:76d6a70f-1f01-5dd8-9ab1-f96140ee6b08", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2e1d9480-dbc6-57f7-812e-9455517d4621", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1021bc26-2f42-5890-81bd-f7c71abbedd2", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8b1b169e-f799-544e-8a16-26bae5f1ed2d", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:56c5ccee-968b-5e15-b535-bb6f1f310b0d", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b51c27a2-64ab-5b35-b8b4-63b198b45c46", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:86137e9e-d2e3-5785-9033-69a3e47ddd8b", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2007f0b0-86be-5f16-81de-ca38675b9afc", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:19bc1317-39b0-5bc0-9f8d-b18038141b7d", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4010ca3f-d333-598a-8f12-1371d61079dc", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:bdf72803-abc5-52df-8312-6ff02f5680fe", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/rspack-builder 4.0.3-tuxcare.2. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8443cb6c-cb56-5fc8-a1cf-62864155e109", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c140de7e-ccdc-5aa7-b1e2-3f29c4386f08", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a9d4cf43-fec8-587f-ab21-16ce627da20f", "id": "CVE-2026-45669", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45669 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d2e825df-af2a-5280-89f7-2a3f2e48af20", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:71afbbd9-2e16-51c4-8b63-bd12baeefc00", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/rspack-builder 4.0.3-tuxcare.2. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:552752c2-723c-5ca8-9ac0-8baf9d258525", "id": "CVE-2026-46342", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46342 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b6740f6d-abc9-5b25-a0c5-a7b4dbee0b64", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f7347f07-d759-5bf9-88cc-5de1b4ca8000", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:899fe3c5-12cf-5051-841f-559fb1817881", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a478e8ce-e5fe-5e18-885f-5ddeeb8aa790", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:65d05090-716c-50be-ad8b-669a8545d796", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0bff948e-3f70-5ff0-b8a3-91bfa8600628", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/rspack-builder 4.0.3-tuxcare.2. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:69751ac6-84d6-576c-8ffe-7bab42556fd4", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3076eeb4-c384-5406-b532-6055541c8350", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:45ecb0c4-762c-5ea0-abef-92c379567842", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3f4934da-a4cf-5dda-bc26-fa07e46379a4", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:703924be-2ada-59f9-9aad-4f044fc77837", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.2 of @nuxt/rspack-builder. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7a381a1c-803a-5e98-9b4a-0091ab03c7a2", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fa1f3ef4-bcd3-5217-b33c-3691e8d31bd9", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a267933d-2560-53d4-992b-ffc6134a655f", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f707b4e3-67f3-5281-b5e6-156c3b7cadf2", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:566acdb5-a350-50ee-a900-df628392e711", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8ac58566-393d-5e4c-aa07-a31e0bac7544", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.2 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3-tuxcare.2" } ] }