{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:30cbdc8f-e853-5255-8b0d-cc4eeab6a8ce", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/schema@4.0.3", "type": "library", "name": "@nuxt/schema", "version": "4.0.3", "purl": "pkg:npm/%40nuxt/schema@4.0.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:9bb21c1b-f325-5ec2-985e-e86383d28161", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:b245d279-4b2e-5bdc-b61a-72d867d1fd5e", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:bb2db493-4818-5788-a75d-d1c09a594a06", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:dfc9c0e8-39dc-5d9a-b4ab-016e2232565d", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:b641d955-7007-5a36-b02a-50c10519338d", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:79c710ba-540a-553e-bda8-ab21a4b2e0dc", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:83f75527-b15c-58d0-b9d2-0ab3696c1a3f", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:640aba47-d5ba-54d5-83c6-6aa12fea0d0e", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:89dfdff8-60fb-5a89-9655-41f4ca4fa70c", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:d7380cf2-478c-5734-898a-960348d90a29", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:13cdb8ff-1d79-5e86-bd01-049a0535d58c", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:e896348e-26ec-505c-b7ea-756d29cfa326", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:324321d7-2e91-5c46-894c-2f4f25ae8db0", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/schema 4.0.3. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:5029722b-e920-581a-bdc2-be2184c925b1", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:bce2aefa-3103-53a6-84c3-caa499ebaa41", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:229daa2b-8353-5aab-ab48-8549f48e0c27", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:9b8f4855-300a-550c-95a2-68f87fe2f781", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/schema 4.0.3. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:abb6ef37-9a5b-5f85-967b-b0c7c6e74d6d", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:f9c9df72-ed42-52bb-aa97-af45fac0704f", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:50e2953f-a6af-568b-b753-e271f7779def", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:9bd39940-c2a7-510a-8550-b397b1b46e75", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:6b70a110-2201-5175-89ff-119240936115", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:d67bef16-5d7c-57a0-8581-995c84dd908a", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/schema 4.0.3. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:c20d5749-2683-5cda-86cb-900dc30232e1", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:3703144c-a1bc-5cb3-8520-ded1a94c009a", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:ef23477f-e00e-509f-b23c-f317f0e2ad8c", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:c60f2d75-0224-52de-acc3-de43b801ae6c", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:e20d5707-b14a-50d6-9eb1-a105b9925090", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3 of @nuxt/schema. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:6218f224-39b6-5356-95b3-0329084a3fdf", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:91ae5c64-de6b-555e-b0e3-38332cb69479", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:a7d83a4a-2256-5807-89c5-d5410a39da68", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:ffedb51e-ca93-582f-b789-06e4162268b9", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:fb13e216-7b13-525f-aa2d-cb623170a423", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }, { "bom-ref": "urn:uuid:dd7410fc-a656-59ea-8f3b-7aea12092f09", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3 of @nuxt/schema." }, "affects": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/schema@4.0.3" } ] }