{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:1b736fc5-2910-5917-ac80-95c4883a97f7", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3", "type": "library", "name": "@nuxt/rspack-builder", "version": "4.0.3", "purl": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c90a5a75-ee9e-578a-a422-43e96ecbd581", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:81517155-a36c-5958-be87-1b754e5b8303", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:b92e4466-be16-5742-ac51-214e995b5c31", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:67196b6a-387a-5850-a0ce-fc57c96a229f", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:989a3ab1-7925-5934-bf9c-ea40a64e4cb1", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:76beaa8b-e58f-5a8d-8fe5-8a63f536c104", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:e1304572-01ad-5600-a354-e4420fe62801", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:1c6e10d5-15cd-531c-a84c-9cd0c878186a", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:3d9c7bd1-bc70-5d5d-aca0-3e28501d83b8", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:8f337616-06a1-5365-b5a2-d602d4614aff", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:ad545c39-4e22-5939-9ecd-885480d38977", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:bfd69702-62bc-5231-ac20-d18f8f210c45", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:87afaedd-64ef-53b2-a5de-3d60f8f31c1a", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/rspack-builder 4.0.3. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:a77657ef-3c25-5664-a2ec-33bd2de0e624", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:2b67e431-9183-5777-9e24-2a4052290c3c", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:0e8fa001-3b0c-5c58-af43-1364b27ee61f", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:5acb034d-1c62-50e9-8634-6eba93c5eacd", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/rspack-builder 4.0.3. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:78728988-0344-5ee9-b560-93a1133b2e1b", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:d1b20b5b-65bf-5af6-9851-4d2e314fda77", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:e4639411-103e-5df7-8f60-090821703d39", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:11b69fc1-493b-517c-b189-fe93bd93d81e", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:f2c040d7-3dea-5089-bde8-cee489e3b402", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:31e47231-1ca9-5308-b3a8-0148eeff5991", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/rspack-builder 4.0.3. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:0fb88d40-1f1e-5531-92cf-fa6d5f058834", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:114a4537-c8da-584b-9e8d-7dc7e69d3d92", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:0c5ff798-de16-5f9d-a51a-d0cb6acc6ca2", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:53f99258-9731-5c40-ab04-3d26811b0beb", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:7e8436e8-50f0-554a-a265-2b05b4039c16", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3 of @nuxt/rspack-builder. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:82984575-c609-55ff-aaff-070da4543a0c", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:9d2a60ad-0c64-51c3-81e6-106afb730b4c", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:a8168209-31a1-5528-980b-d726cc80a08e", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:a2e853e8-60d9-54ab-9116-f6ca3e201d11", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:29a1eb60-6da6-54b0-9bc0-c917b30d0a77", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:8265a6e9-0229-5b2a-b554-9d51c332236f", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3 of @nuxt/rspack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/rspack-builder@4.0.3" } ] }