{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:37577ad9-2ed7-59d3-a1fc-6a6471e8c180",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/ckeditor4@4.17.1",
      "type": "library",
      "name": "ckeditor4",
      "version": "4.17.1",
      "purl": "pkg:npm/ckeditor4@4.17.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:b044dc8e-a1ff-55e2-8a60-85bd7781344f",
      "id": "CVE-2024-24815",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-24815 affects version 4.17.1 of ckeditor4."
      },
      "affects": [
        {
          "ref": "pkg:npm/ckeditor4@4.17.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2c48c426-8c69-518d-ba8b-ba8b6fa3f891",
      "id": "CVE-2024-24816",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2024-24816 does not affect version 4.17.1 of ckeditor4. already_fixed \u2014 CVE-2024-24816 has been addressed in this CKEditor4 ELS repository via TuxCare backport commit 7f3cd307 (dated 2026-06-25). The fix blocks preview content globally in all sample files and normalizes closing tag names in the core parser. The primary defense (preview blocking) matches the upstream vendor's mitigation strategy and prevents XSS exploitation via the preview feature."
      },
      "affects": [
        {
          "ref": "pkg:npm/ckeditor4@4.17.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/ckeditor4@4.17.1"
    }
  ]
}