{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3100934e-c175-5fc6-9ea9-5cdb88da7e64", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3", "type": "library", "name": "@nuxt/vite-builder", "version": "4.0.3-tuxcare.3", "purl": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:0901a679-401d-588b-abb3-3f08c867818f", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a7c049ce-c510-5305-84cf-94fbd3c7cd45", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:781279fc-2e0a-54f9-8b9b-3b4673981cf3", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b188789c-c709-5190-966a-bc24f2c0edd2", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8dafbacd-8be6-5822-aaf0-03e83e1e83dc", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fa728b49-0e1c-5b78-95e1-417994d1badf", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:188db74d-eac4-5259-9766-a573cf4e692a", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:da9155c7-05c7-582d-9bb5-b383b11db406", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ae1f33b9-0029-57ca-bd1e-0edadd432e67", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:db8ae886-faff-50e1-bd07-f4252d493aca", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c029e5f4-2a2d-5c1c-84a9-092bdf1932fa", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c169885b-50f5-527a-a279-a429257cbf36", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d0d84576-7a8c-54e1-9ba4-871ef8e8e583", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:17d88e98-0665-5666-bf05-ef04db5462d6", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e2875aa5-b3a2-5a29-813d-88cdb798389f", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/vite-builder 4.0.3-tuxcare.3. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c059335d-60fa-5217-916c-ccfb3932fbc1", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:67d4d589-51d3-5750-a0d3-97cecb835c80", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c87d83e8-d44d-51c9-8cd3-7d5f3bc08f0f", "id": "CVE-2026-45669", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-45669 is fixed in version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bc93b217-2a37-59be-8290-fe4677a94afe", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7fed43a4-7117-5f41-8a58-fef9ec04b297", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/vite-builder 4.0.3-tuxcare.3. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e01a25d7-93f5-54a5-b5c7-c6dce3b0abe3", "id": "CVE-2026-46342", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-46342 is fixed in version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b990be40-53d0-5595-aa5e-da66774f94e3", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:beb67d9e-c894-52e8-b0eb-3bd77638c5a7", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0f6854bb-0ea2-5969-9223-da586bb6153e", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:340617dc-2b33-5e16-ba6a-ee3e2ec697c7", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6896a841-e51b-5a9b-a0a7-8b089a3b193b", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5f4489fd-645f-5d40-9d6f-5bc7f0df780d", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/vite-builder 4.0.3-tuxcare.3. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ab555d28-7473-526b-a6d2-5d37fae8402e", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7824d810-34f4-5898-a1b6-ce58353e43ae", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:426b4719-afde-5c3f-a057-85d858d720de", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1ae60fb1-44a5-52ad-9ee8-fd62857e643f", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:aa869af2-8d3c-57ce-8e69-a28ec273bb2e", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.3 of @nuxt/vite-builder. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:375e1b7e-38e8-5af3-a06a-bd144684491b", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dd4ef37b-548e-5bc4-9f5d-b19dc01fa9b6", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f9ff4188-c0d8-53f1-821d-dd265b164ff7", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:933ac124-4239-530d-84e6-7810914d7f78", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0011ca13-5d1b-55db-bc7c-974281952397", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1d631c5b-eaf7-54fd-ad23-2631724ef998", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3-tuxcare.3" } ] }