{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3a340d0b-9640-58d4-94e7-e50caa93adba", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/dompurify@2.3.0", "type": "library", "name": "dompurify", "version": "2.3.0", "purl": "pkg:npm/dompurify@2.3.0" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:895beadf-8b26-564e-9e76-927d494b34cd", "id": "CVE-2026-0540", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-0540 affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:853b3b5a-14df-5032-899f-814f5e05f344", "id": "CVE-2026-41239", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41239 affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:2a5cd409-cfe6-54ca-992b-e9188bdc04cd", "id": "CVE-2026-41240", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41240 affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:e0e78506-7fb7-56bb-a38f-456c62d2f5d1", "id": "CVE-2026-49458", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49458 affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:98503e83-7279-50f8-b3c0-07858576ccc7", "id": "CVE-2026-49459", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49459 affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:9f4c10fb-ef23-52f3-8479-79c6454a2338", "id": "CVE-2026-49978", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49978 affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:6801d835-1c0b-5790-abc9-6ce5fb8777dd", "id": "GHSA-39q2-94rc-95cp", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-39q2-94rc-95cp affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:38f6190e-7663-5b22-99b0-68d7a36daec8", "id": "GHSA-76mc-f452-cxcm", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-76mc-f452-cxcm affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:5e6fab37-fb8b-5fa9-aba3-debc412b0375", "id": "GHSA-cj63-jhhr-wcxv", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cj63-jhhr-wcxv affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:554fb846-ad8b-53fd-9a99-b22969788026", "id": "GHSA-cjmm-f4jc-qw8r", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cjmm-f4jc-qw8r affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:6ea074a3-4901-54a4-a738-23ae6d36dfaf", "id": "GHSA-cmwh-pvxp-8882", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cmwh-pvxp-8882 affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:a5e5e916-d3b9-5a6a-9231-21fd467ed9ea", "id": "GHSA-gvmj-g25r-r7wr", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-gvmj-g25r-r7wr affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:233865a8-2f51-52ed-b963-4a4d3c955d39", "id": "GHSA-h8r8-wccr-v5f2", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-h8r8-wccr-v5f2 affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:a1850de1-f6f5-5366-bc10-ed31066e697c", "id": "GHSA-vxr8-fq34-vvx9", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-vxr8-fq34-vvx9 does not affect version 2.3.0 of dompurify. not_affected \u2014 DOMPurify version 2.3.0-tuxcare.1 is not affected by GHSA-vxr8-fq34-vvx9 (Trusted Types policy persistence across clearConfig). The vulnerability requires the configurable TRUSTED_TYPES_POLICY feature, which was not introduced until version 3.0.3. In version 2.3.0, the trustedTypesPolicy is a const variable initialized once at module creation and cannot be overridden or configured by callers." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }, { "bom-ref": "urn:uuid:0ee12fa0-e912-5e73-bd1f-5b46525ebc1e", "id": "GHSA-x4vx-rjvf-j5p4", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x4vx-rjvf-j5p4 affects version 2.3.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] } ], "dependencies": [ { "ref": "pkg:npm/dompurify@2.3.0" } ] }