{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:31d3f3e6-11bb-52f3-9c2a-4710fc95f43f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1", "type": "library", "name": "@nuxt/schema", "version": "4.0.3-tuxcare.1", "purl": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a48681ca-0081-5f90-8823-ff2223e14201", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:854ed8c1-1e4f-5675-9bd0-bd25b13ccb24", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e0531eb6-2a2d-5d88-8c7e-eef659228d13", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:67414708-cb89-534f-ba18-6c4dcd4524c1", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9b4aaf99-dd8d-5f70-8c31-6c1556dce745", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a699b33b-a214-5368-8544-931e0c944bc5", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e8576545-336c-556d-9e48-cd1203a070ba", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d4ba4eff-cf01-5f32-96d7-35d714db2880", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:53532484-26e7-59b7-a542-c4a7233bcbed", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:412d2183-2fe5-514f-b0b4-4cb8199e3e6a", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:78c2f75e-c7f8-50c8-9b66-0b6a667b1630", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:569a254c-dba1-5095-83a0-c0eac533adf7", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3d3513f9-8665-5aaa-9435-921b6652dc51", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a1487f44-83a3-5921-9e34-4d638deba380", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f7b3d0a0-cc7a-5bdd-8c3c-3c0076fb4038", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/schema 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:636e71bb-a0d4-5950-a91c-575200e59657", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:947173a0-aedc-5227-bcbe-625901c4a415", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c46c8ea6-161b-5aee-9116-7f1c4dc66db3", "id": "CVE-2026-45669", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45669 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c17b5721-7402-526b-aae1-821878a7ab1b", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b8224ae2-4fb1-5572-9c71-e3888d134eef", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/schema 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:668ea669-a16c-5af4-91d7-c3641db88c4a", "id": "CVE-2026-46342", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46342 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:370a85c4-5d5b-525f-9ce8-fbe6f454dbc5", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:378f748f-0b96-5514-8308-24e3ba33d6e2", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:34fca04f-0316-5da3-823e-5c7857104c89", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:35e0ea6e-4a84-53ae-b9ca-48a3a670fb3e", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7498458b-ffdd-5e93-8902-4917c56b5fbd", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fccf38c2-720a-5669-889c-8282bfef1c1e", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/schema 4.0.3-tuxcare.1. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cf0a5c2c-30fa-5a34-9a49-38cc5eea46e6", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d612ab2b-d87a-5505-a38e-a11327a2a253", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:df905a50-7915-51c8-9d66-a7594f74125e", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5a511ee6-68d4-5570-923a-a5337fd38cf2", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:710d48d7-fd5f-5582-8b9d-12cf32850da3", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.1 of @nuxt/schema. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:54e206d5-8e75-5e21-a200-30e7db449b0a", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:74400db0-6812-5726-a0d9-78f8016d4554", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b869d768-a7af-546c-871c-352d461e048e", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9a115b89-448b-5ee1-8e41-3ad1f91ea35a", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a8be146c-a53a-5d37-8112-c351856c1d83", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0c3f871a-2edf-5cc4-93ef-2e260bd8511e", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.1 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3-tuxcare.1" } ] }