{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3c0e6785-da19-5dbe-aa86-3237bfc13a89", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3", "type": "library", "name": "@nuxt/webpack-builder", "version": "4.0.3", "purl": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fa3528aa-6615-5abb-81f6-dd70ae545740", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:1d7e053a-6e33-5f0e-8ec6-5e1595c392ba", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:2c483a4a-481b-5394-88f8-437b9bdff6a8", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:b21fe3bd-9195-5ebd-8be3-9240f84b888d", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:4e89f437-97b5-5dce-92b9-8beb691f4f3f", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:e8f6b927-3465-594f-a020-f55923663c7b", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:12a45acc-104b-502c-a054-371437bac498", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:6a12005d-6597-5c7e-ab16-f88ef6d38fc8", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:fdf2fdb4-3e81-5f0e-9a07-b2449504387e", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:d0bb9989-7ea0-5fb6-8319-f0b4946495f3", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:21ac708c-392f-54c9-bf50-d88ea73a7693", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:7ef93bf4-3dfb-50fc-bcb9-8706121c232e", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:9ad0f3c0-4e9c-5298-868d-5cf316fb96e4", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for @nuxt/webpack-builder 4.0.3. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:bdaca336-3815-51c7-8e33-1da7c51a25f1", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:69802485-005b-5885-bc63-4e9b6a71d7d1", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:94a30234-5ecc-5cb7-9a20-74e5f201ae19", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:23cd3cb3-f67b-5b4e-8f74-a31f989a8484", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for @nuxt/webpack-builder 4.0.3. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:c797746e-bb7b-54bc-9ef8-2ca6088a204e", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:79aea97a-9f74-522d-8660-91c8999ed16f", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:f98310e6-c7a6-5ff9-8dbb-0a7441ad3633", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:ae02063e-573b-518c-9d5b-015c069badc6", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:e30af307-23a2-5d80-8334-bb03d68a15de", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:0fb526c8-727b-595c-a639-19c831712649", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for @nuxt/webpack-builder 4.0.3. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:544fac7f-544d-5f80-b14e-0a7032e235ab", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:a7ce645f-d6e0-5cad-b492-489dfed5bd63", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:88895a8b-3e2b-5220-9a90-87e5a2541fff", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:1c710676-e99d-5bdc-8aa3-8863689726df", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:ea36b90a-1a11-57e8-ac3e-6f0dba934d3d", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3 of @nuxt/webpack-builder. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:851905ef-d9d7-53f9-bbf9-c5163ea205b5", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:32953503-7d54-5040-b4d3-0e966fcde9b9", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:ad7ae127-ae79-547a-89d8-8720add0f27a", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:7aea654c-a06b-5f42-b3f6-dd8fb0844e17", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:19d98035-d05d-5ccb-82b4-eb90d26b76e1", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }, { "bom-ref": "urn:uuid:e71c3d76-6a98-542c-8ebd-3215282a7a00", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3 of @nuxt/webpack-builder." }, "affects": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40nuxt/webpack-builder@4.0.3" } ] }