{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:cfc530ce-ca63-5adc-acd6-451a6febefd4", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/dompurify@2.5.8-tuxcare.2", "type": "library", "name": "dompurify", "version": "2.5.8-tuxcare.2", "purl": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c4fc3018-797f-5629-bd8d-4eb997736a3c", "id": "CVE-2025-15599", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-15599 is fixed in version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:51c97fb3-0630-5bd6-ace7-328b2c7556c1", "id": "CVE-2025-26791", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-26791 is fixed in version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d03ea51a-e18a-5630-a184-c9dc709a5b5b", "id": "CVE-2026-0540", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-0540 affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ce0126d7-de36-5970-88f6-dbbb8dbf3f47", "id": "CVE-2026-41239", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41239 affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:671e0d54-126c-5d40-95da-201c2900c235", "id": "CVE-2026-41240", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41240 affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d226443e-7010-53c4-a169-5b3c860a954a", "id": "CVE-2026-49458", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49458 affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5a94dafd-2e2f-5263-a2aa-c1276a3a8c10", "id": "CVE-2026-49459", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49459 affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d5bbed10-5107-557d-aa61-62ae941d415f", "id": "CVE-2026-49978", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49978 affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2ced2403-bb9b-5314-9112-28d3204bdedb", "id": "GHSA-39q2-94rc-95cp", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-39q2-94rc-95cp affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:21c808f4-5ee5-5467-9726-98eec118ef85", "id": "GHSA-76mc-f452-cxcm", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-76mc-f452-cxcm affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f34841c5-deca-5a8c-9c6f-4d8b86b31c01", "id": "GHSA-cj63-jhhr-wcxv", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cj63-jhhr-wcxv affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:737b88a4-ccc1-5e3b-b815-d98555683b55", "id": "GHSA-cjmm-f4jc-qw8r", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cjmm-f4jc-qw8r affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:08238437-fc93-57a3-9db9-c327d0fb7120", "id": "GHSA-cmwh-pvxp-8882", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cmwh-pvxp-8882 affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:06d9adbe-4bae-5a66-b4ce-2a9abeab9aa9", "id": "GHSA-gvmj-g25r-r7wr", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-gvmj-g25r-r7wr affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:510f5dcb-17de-5dc3-a6fa-293623770ce9", "id": "GHSA-h8r8-wccr-v5f2", "analysis": { "state": "resolved", "detail": "Vulnerability GHSA-h8r8-wccr-v5f2 is fixed in version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:15958012-eff2-5be9-b1ca-2e2c23580f20", "id": "GHSA-vxr8-fq34-vvx9", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-vxr8-fq34-vvx9 does not affect version 2.5.8-tuxcare.2 of dompurify. not_affected \u2014 DOMPurify 2.5.8-tuxcare.2 is not affected by GHSA-vxr8-fq34-vvx9. The vulnerability requires the TRUSTED_TYPES_POLICY configuration option, which does not exist in version 2.5.8. The target uses an immutable const trustedTypesPolicy initialized once at factory creation, making the attack vector (caller-supplied policy surviving clearConfig) impossible." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f2262d50-1127-5e9f-a830-e34b4b30c221", "id": "GHSA-x4vx-rjvf-j5p4", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x4vx-rjvf-j5p4 affects version 2.5.8-tuxcare.2 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/dompurify@2.5.8-tuxcare.2" } ] }