{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:c1413b54-6d49-5cdf-9e86-5dceeeac972e",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/fast-xml-parser@4.5.6-tuxcare.1",
      "type": "library",
      "name": "fast-xml-parser",
      "version": "4.5.6-tuxcare.1",
      "purl": "pkg:npm/fast-xml-parser@4.5.6-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:8bbd1338-9750-5c3b-93c0-c3fa1e1e775e",
      "id": "CVE-2026-25128",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-25128 does not affect version 4.5.6-tuxcare.1 of fast-xml-parser. already_fixed \u2014 CVE-2026-25128 has already been fixed in the target repository via commit 98ef2af on Feb 11, 2026 by TuxCare. The fix adds range validation for HTML numeric entities to prevent RangeError from out-of-range code points."
      },
      "affects": [
        {
          "ref": "pkg:npm/fast-xml-parser@4.5.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ca722c34-dea5-58b9-a4c4-1f5a99d9f0cc",
      "id": "CVE-2026-41650",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-41650 is fixed in version 4.5.6-tuxcare.1 of fast-xml-parser."
      },
      "affects": [
        {
          "ref": "pkg:npm/fast-xml-parser@4.5.6-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/fast-xml-parser@4.5.6-tuxcare.1"
    }
  ]
}