{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:92e85d03-c3c1-5199-8a24-7e621244e040", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/dompurify@2.5.9", "type": "library", "name": "dompurify", "version": "2.5.9", "purl": "pkg:npm/dompurify@2.5.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:9ded1de7-80e1-5f41-99bf-2c92f9881817", "id": "CVE-2025-26791", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-26791 affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:37416aba-d0ef-5484-9ae6-1c1df4d88b7d", "id": "CVE-2026-0540", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-0540 affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:37c4d5b2-f64c-5847-8541-005ebe909cf4", "id": "CVE-2026-41239", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41239 affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:880c4557-306a-5a4a-9d63-4cabd53dcc42", "id": "CVE-2026-41240", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41240 affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:f5552eb3-cec4-5fca-aa8c-0b3d8e39fa54", "id": "CVE-2026-49458", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49458 affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:daa8a737-5775-5a56-9c41-a6de890cb46b", "id": "CVE-2026-49459", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49459 affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:24957caa-e967-523a-a3bc-7d8703f1d57c", "id": "CVE-2026-49978", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49978 affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:1b746ed7-46da-5828-87e7-ea5017f65774", "id": "GHSA-39q2-94rc-95cp", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-39q2-94rc-95cp affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:6ddfe28b-d764-5bbf-837f-76475196c36e", "id": "GHSA-76mc-f452-cxcm", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-76mc-f452-cxcm affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:6d0e39fe-2ce6-56c4-8879-eb365c1ba4c7", "id": "GHSA-cj63-jhhr-wcxv", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cj63-jhhr-wcxv affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:c4786e17-6a48-548e-8b21-fb2841755d6c", "id": "GHSA-cjmm-f4jc-qw8r", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cjmm-f4jc-qw8r affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:a405b7fc-a87b-5fbc-a816-4500f173eaa0", "id": "GHSA-cmwh-pvxp-8882", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-cmwh-pvxp-8882 affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:2fbd6454-bd24-53cd-aae5-d53ece50f742", "id": "GHSA-gvmj-g25r-r7wr", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-gvmj-g25r-r7wr affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:9f9c2307-647f-5c38-bf97-83a0adfe6ae9", "id": "GHSA-vxr8-fq34-vvx9", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-vxr8-fq34-vvx9 does not affect version 2.5.9 of dompurify. not_affected \u2014 Version 2.5.9 does not contain the vulnerability. The TRUSTED_TYPES_POLICY configuration option, which is required for exploitation, was not introduced until version 3.0.3. In version 2.5.9, trustedTypesPolicy is an immutable constant created once at initialization with no mechanism for external override." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }, { "bom-ref": "urn:uuid:d70ad053-ba00-586c-9c1e-04e5f156377a", "id": "GHSA-x4vx-rjvf-j5p4", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x4vx-rjvf-j5p4 affects version 2.5.9 of dompurify." }, "affects": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] } ], "dependencies": [ { "ref": "pkg:npm/dompurify@2.5.9" } ] }