{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:39f27e45-ab99-5428-92db-f01a7c09aff0", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3", "type": "library", "name": "@nuxt/webpack-builder", "version": "4.0.3-tuxcare.3", "purl": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:4ea50c2f-ee5b-543c-af8e-0a11cbd10a87", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:84df645e-c068-5ad8-ba6d-d33e25363012", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d7d38072-8f5a-580a-aa19-203b55afd26f", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c1416d88-5be5-5e16-b508-4ef2b7b53126", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:53033115-c672-51b7-aeac-f641f0c5c9fb", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4c5eb631-48b9-5b49-9171-7362b861d38f", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cf1f3d49-3351-56af-b0eb-3775f8da6a92", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8973ca5f-8329-578d-9295-33802015ab38", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4bdb65db-615d-5e22-9275-7302602899ca", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0e812536-abdb-52ef-99d2-af0389314621", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:822f4ba0-4e34-5cf7-9c6f-664d6abac519", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:853b4187-8520-54ef-91f2-d7e5c1e0a199", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a69e672c-e1c7-55be-8000-4e4546fbc26a", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:63268dbb-e64f-5238-9996-57168629479b", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8dd7810e-d9b8-5148-a164-11bfc9eeb6c3", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/webpack-builder 4.0.3-tuxcare.3. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fd7df3bb-e0f1-538a-9d49-59594e870870", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0b9d0a44-216a-5c44-b848-1ebcc698eb00", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f724a376-55ce-544d-8181-a6bfe6e78862", "id": "CVE-2026-45669", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-45669 is fixed in version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7cab5126-aeaf-5cd6-a978-dc7fc8ea8551", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5398629e-2700-5fce-8f91-2d87adf93c30", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/webpack-builder 4.0.3-tuxcare.3. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bff77081-ddfe-545c-872f-ecc71287f442", "id": "CVE-2026-46342", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-46342 is fixed in version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:77e5a372-9f6b-5564-9352-9fa9381f8e3c", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e3b51c4f-e3b4-570b-95d7-be6622c309d7", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:624543cb-092e-5758-a2c2-8ceece7f5ccb", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:81b576cb-6409-5f0d-90a2-1c31af39b5f6", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:858a2110-cddb-5e51-b785-5e70a898e0f3", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:21fbe921-c42d-5c56-8a55-620501b6dc61", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/webpack-builder 4.0.3-tuxcare.3. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bce0acbc-232e-520d-9d86-460cd73f804e", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:de6094fc-6a9e-5ff5-824e-f0f256d4a39c", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3b4cfbcd-e490-56f5-9d6b-7a15d16ac9e2", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7ecf112e-4072-51d8-a9ce-ceb86b7e36d9", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0832a66d-0260-505b-9580-de009f7d34d5", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.3 of @nuxt/webpack-builder. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:eaaa289c-79e4-5efc-8412-4c85823f044e", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:74a302ae-b6b0-52c8-85b4-027a9c19dd42", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8a932758-a784-5bfe-9286-8414ebc0f0cb", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d7e51118-523c-5110-bcec-dd170963ae7b", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c31fb84f-d9ed-502e-b4c5-a4c7e753ac79", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f59f7848-177e-5ee5-aa19-7febacfb05de", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3-tuxcare.3" } ] }