{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:2c017372-8384-5d79-a225-639c701cc54d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1", "type": "library", "name": "@nuxt/vite-builder", "version": "4.0.3-tuxcare.1", "purl": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:39ee75de-ce68-5c07-8c1c-ef71188f0dd8", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7a5b922f-8d1f-5a41-a9f2-3d6ecd7ee4f6", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:aeaf8861-f98c-55de-b0bc-6da741d4fa3d", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:baa54c80-7bde-551b-a1a1-27ff4c7fab17", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cebaa40e-5fd9-5ba7-a8aa-65b2733a4c4c", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4085603d-734b-5863-9b4a-fa8e9593c53e", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c67508f4-b49c-57cd-b62b-f274468ab195", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f2a58dbd-6893-549a-a8ea-259599cea601", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ee3805cf-1b65-5a54-9c06-0cc23393b2ad", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:89fd5596-56cf-5134-9a6d-2f806988c4c4", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:80c8994b-bce6-5c9a-b44b-4ff9f427857e", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9332e346-09d5-51e1-bebd-29b09790abe7", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3c6fbb49-133d-52e7-9ee3-7bbc953c0e28", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0bd83caf-d1ca-5ec3-93bf-d62d2c7b1212", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8b2eb94b-9902-51af-8745-e2ebf8914094", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/vite-builder 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:91e94203-acbd-5c95-b54f-0bd583ce2ec1", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cee5ec4c-6694-5d0f-8f8f-c43025a4d24f", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:654b8217-a1d5-547f-b101-a8884e4dd27e", "id": "CVE-2026-45669", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45669 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1cbfc16c-2738-55ea-8c86-9b4e5156ce53", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4884a525-18aa-5855-8e89-6c0dbdaed82e", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/vite-builder 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bc0d5f29-08ab-567d-82ad-9a32f5323acb", "id": "CVE-2026-46342", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46342 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:06c13a49-3814-5e1a-b480-07022e570f2f", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e8c1c85b-bfb8-5cd1-a230-15c5e5112195", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:809cee19-6061-5056-ac0d-f7116a65edaa", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c8346ebc-15e5-5286-95e3-a17eeb7ba410", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:39c05ea5-7002-586d-8158-3be56c40a645", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:13d69a43-16f2-500d-95ba-75449beaccf0", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/vite-builder 4.0.3-tuxcare.1. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e6906cc1-3eb7-5864-92af-4e4c37b83302", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c3a76c7a-9147-5b92-b352-9343cc594b4a", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:65c26f33-9ef4-5d06-ac00-9aeb4f5b5a4b", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:730348d3-c0b8-50c8-838b-d32225bb4cc5", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:83f08c0c-938f-5324-a71f-8630cad949f0", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.1 of @nuxt/vite-builder. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e2e35551-b473-5668-831f-fd22c921cdf1", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:554eb07d-8449-55c1-9540-a19000b5ff39", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ee6b91a1-fc66-5abe-a784-ed647afc0ff3", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:446c3dc5-1d14-55de-956b-6d8d28c77ac6", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e42c286a-67dc-5ace-9f37-1cd0d45905f6", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0274dc7f-ce6d-50ea-8b38-cf90a073b2d0", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.1 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.1" } ] }