{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:546a52c5-3416-5dbf-83dc-e877da830339", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/dompurify@2.4.0", "type": "library", "name": "dompurify", "version": "2.4.0", "purl": "pkg:npm/dompurify@2.4.0" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:dd5ac8e1-ae22-53cc-8e11-cddae17360cd", "id": "CVE-2026-0540", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-0540 affects version 2.4.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] }, { "bom-ref": "urn:uuid:87f847a8-5ef9-5c01-ae16-1ee63f006e28", "id": "CVE-2026-49458", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49458 affects version 2.4.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] }, { "bom-ref": "urn:uuid:98d70281-7c70-50de-86f6-107c35cfb77f", "id": "CVE-2026-49459", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-49459 does not affect version 2.4.0 of dompurify. already_fixed \u2014 The target (DOMPurify 2.4.0-tuxcare.1) is NOT vulnerable to CVE-2026-49459. While it lacks the vendor's realm-independent clobbering detection added in patches f6a7eb8/7996f1d/89da34e, the target has an alternative defense at the IN_PLACE entry point that prevents the attack. The defense at src/purify.js:1407-1416 rejects clobbered forms by throwing an error when dirty.nodeName stringifies to a..." }, "affects": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] }, { "bom-ref": "urn:uuid:93e335d7-ff1a-5573-9cb9-4128eaac09b5", "id": "CVE-2026-49978", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49978 affects version 2.4.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] }, { "bom-ref": "urn:uuid:13a5fa08-2e68-58d8-8db1-f02859b14037", "id": "GHSA-76mc-f452-cxcm", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-76mc-f452-cxcm affects version 2.4.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] }, { "bom-ref": "urn:uuid:152f8e09-c2a5-5464-bf0b-715c09ca39ea", "id": "GHSA-cmwh-pvxp-8882", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cmwh-pvxp-8882 affects version 2.4.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] }, { "bom-ref": "urn:uuid:d2fd91f5-8034-56f9-9c06-115f5ff8422e", "id": "GHSA-gvmj-g25r-r7wr", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-gvmj-g25r-r7wr affects version 2.4.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] }, { "bom-ref": "urn:uuid:80be00a6-c426-5298-8f7f-52dedcbeea8d", "id": "GHSA-vxr8-fq34-vvx9", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-vxr8-fq34-vvx9 does not affect version 2.4.0 of dompurify. not_affected \u2014 DOMPurify version 2.4.0 is not affected by GHSA-vxr8-fq34-vvx9. The vulnerability requires a TRUSTED_TYPES_POLICY configuration option that allows caller-supplied Trusted Types policies to persist across configuration boundaries. This feature was introduced in version 3.0.3 (May 2023), nine months after version 2.4.0 was released (August 2022). Version 2.4.0 uses only a hardcoded, immutable Tru..." }, "affects": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] }, { "bom-ref": "urn:uuid:84cef1e0-4e6f-5b03-b50e-6136b9507e81", "id": "GHSA-x4vx-rjvf-j5p4", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x4vx-rjvf-j5p4 affects version 2.4.0 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] } ], "dependencies": [ { "ref": "pkg:npm/dompurify@2.4.0" } ] }