{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c76244ef-15ef-5ea5-8965-316e5ef2353f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2", "type": "library", "name": "@nuxt/vite-builder", "version": "4.0.3-tuxcare.2", "purl": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:5576bbea-8c06-524b-9259-6b04b971bdbc", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:23cbd434-2892-5806-b182-f64d769f60a5", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c2ded4ed-d5ab-5059-a41f-34aa4df44aa0", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:bb5bb46e-44cb-5e07-abf6-e2ddb3c98ba8", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1b538084-5c2e-50f1-9a5b-8d276b043b25", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c5774270-ff86-50b0-9af1-01684a9b545c", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:211967db-735d-5767-a7bb-a5088f2cf7f6", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:31e4d390-2290-51ed-808a-5b289a948d1b", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d72ca63f-8173-54e7-8e40-2a9fa3890e6e", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ddf5a716-68ca-5964-acfa-2e9089d88b64", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2962e602-96f5-568a-a847-6dd1332ec433", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e3dc402a-904e-5912-bd08-b442c52f9d5c", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1ad49861-9292-5687-858f-ec1e94dd74d2", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3133d97a-5523-567d-8105-73ad329bf087", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b18811de-e712-5336-9e1b-bca1e20d96bc", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/vite-builder 4.0.3-tuxcare.2. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4ede3815-1074-5aee-ad0a-b4ce865f5484", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9e533326-d4bb-59e3-8466-6852d9681760", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:00d0f496-bc9e-56e1-9afe-2bb9e434c5b0", "id": "CVE-2026-45669", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45669 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:247ba621-95ac-5ea5-854a-49717941471f", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:927ed435-a86c-5205-a49f-550ebe10a8eb", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/vite-builder 4.0.3-tuxcare.2. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6894176b-b5cd-5cdc-b740-65c1e6532506", "id": "CVE-2026-46342", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46342 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1ec3b5a1-3fc8-5065-8977-ec059387243e", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b0df5fbe-4ecb-5d14-9dee-dcbc1cdc0c9d", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:440729c6-abe6-51e3-8676-e613239b9dde", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7ab9f4d2-fc84-5488-961c-0e8bb2363d40", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:be4bdc0d-50d1-5780-91db-0a17722b2160", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7a6d8a4e-c841-5804-b670-62a5d93b5d19", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/vite-builder 4.0.3-tuxcare.2. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:aa0ae8c4-b7bf-5e4e-8bcf-3e35e57500fb", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:edc80850-df4a-5b66-80c0-8d56b24a3f0e", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f7b2095d-8c46-54d9-804c-4c0f6f65e033", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:48fb3213-cd1f-5f5a-930c-2bee3570ee6f", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e45e8490-e528-58f8-a1ef-de7168c5aba9", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.2 of @nuxt/vite-builder. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4eeaa31d-90ab-5c4b-b2d5-fee8469754fe", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2337f59e-eb63-5b68-9002-d856cb0e0188", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4487af66-c6dc-54cd-8d68-eba56ace1858", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:96b7abc7-fa46-572e-ae28-03c5318a4a40", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0e87234e-76cc-5557-b622-4a8df26e2a3a", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fdfea962-6efc-5bd9-97d0-87f8ca451ca7", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.2 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.2" } ] }