{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e57e20c0-9b8d-5532-86d7-33a2c1224b81", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/vite-builder@4.0.3", "type": "library", "name": "@nuxt/vite-builder", "version": "4.0.3", "purl": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:edf48eee-e0f7-5616-808d-936d0a87dda0", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:8f078724-3b46-5b6b-acfb-62461b2477f3", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:2a07b86b-7796-55ce-aee8-99d2c72a9304", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:22cabd76-4166-5e30-a0a4-c5d0eb7ec3e5", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:334eaa40-b384-584b-be0e-85567feaeb80", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:b37aecd1-f547-566d-a1cf-97f5835da4f3", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:54aef35c-9415-5523-b45a-8d29b5e9062d", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:c75180ab-26ed-50c8-ae09-b054b5828346", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:8d3af08d-2918-528b-9071-db40847caa83", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:7ba03d27-ee8e-5e89-bdac-8460e470c1df", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:9ce39a33-3e73-5355-9338-1f388496d3d1", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:271a7ad1-39c3-5a22-b533-3cc64ca4c06e", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:21cc0691-4183-543e-a735-85e4602069e0", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/vite-builder 4.0.3. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:2160a993-fa24-57f2-a761-e91089e3368d", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:6d4d3412-11a4-5a78-bca9-e4a82ccb84d8", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:e7580ba3-2bec-5419-a4d8-6d2e78d63f11", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:a0250abd-3efd-5536-a6ca-7b37a62ffb3f", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/vite-builder 4.0.3. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:ab62ab6a-3222-553e-8c62-29798062c9e1", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:0a35dbcc-8106-5e81-956c-ad2803fbd925", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:d05f4bb5-1f22-5217-a03c-9b598b79f546", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:c830879e-1be8-580c-896d-70f1078b3e16", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:efd0a364-bde9-57ea-bd28-5f8a269c0fe0", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:1cd4697f-2aee-5787-aeb1-1262df3a0157", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/vite-builder 4.0.3. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:46565fec-6e58-5154-8d27-436e7ac6d945", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:ec43194e-7201-51b4-a676-e138381fc643", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:b9c72651-6b6f-5e72-b0e3-5b6e95013a4d", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:08a93d51-a799-50ea-95c1-ba9f5822b0db", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:867af9d9-4c1c-5338-bf30-4d80253f603f", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3 of @nuxt/vite-builder. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:70ceca9d-a3a6-55a7-a320-61ccbc4765c8", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:31421812-5a4e-51b6-9ce7-c05b7559f6a9", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:1af1884c-bb05-5528-8e26-e67e92ed0ce9", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:79b5ed1e-61ae-5cf1-8236-5085c6a71314", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:d5c8633a-00ae-5d96-8a86-234468859771", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:0e9fd46e-59f2-5df8-8050-d32a2b3c7cd1", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3 of @nuxt/vite-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/vite-builder@4.0.3" } ] }