{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e67e2653-47b9-5a65-8ab1-52911ab19d2e", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/nuxt@4.0.3-tuxcare.1", "type": "library", "name": "nuxt", "version": "4.0.3-tuxcare.1", "purl": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:66c6686a-ae61-5d2a-8341-4ff7c2700ad6", "id": "CVE-2022-21670", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-21670 is fixed in version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d2fe9ca6-5bb1-5c27-b158-2a08d9d2b0e0", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a3db293e-a26e-5674-b958-5bc8a26afadd", "id": "CVE-2025-59414", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-59414 is fixed in version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4d01b1e1-1578-537a-a35c-f060a0b4b4b2", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:eb66b12a-722f-5423-a210-b842060d5c40", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a033f6cb-bd57-5587-8e40-bb1e12399379", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0fdba328-1d6b-5420-a3a0-48e8381957c1", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8afbfda0-638c-56f6-ad85-83f0b27f57fc", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:aca04afc-0028-5b68-90b2-6145028cd003", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5f1f7fe5-e196-56ac-9f3d-f1b50fbb8ec0", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ffa75094-fc85-5005-bbd2-bad24e69a42b", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:82642d3a-a704-5193-b71d-51c6f8be5fc3", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a96d11af-74dc-5630-9fd4-1ec1a13ee3ed", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e8b4c115-3aff-5131-82f1-b749e0a3c266", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:18b49913-17de-5cd5-b9f3-a33b83d8f16c", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for nuxt 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d669d0ab-4956-5835-af0a-b2b8470584b5", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b88c4b8a-ba85-5f0a-b5da-14a10bcf4236", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:12552692-6663-52da-bbfd-1c21bea7469a", "id": "CVE-2026-45669", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45669 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f62da68e-e731-59a2-8009-25a29369ce2b", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ca3af9bc-9d92-5709-9d57-921e7fbce695", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for nuxt 4.0.3-tuxcare.1. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c7123d8b-fe7b-5ae8-a9ca-d5981656712d", "id": "CVE-2026-46342", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46342 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:25408df9-90aa-5350-9108-cb48f280669c", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b6fd8c79-d5c1-55f6-920f-7708dcefaeff", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:40a93f46-bf4c-5653-9e15-11fc76fe5d73", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:98bc11ce-e65f-544b-9c9c-b290a0ebe554", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:909a80d5-c2b3-5979-a5d7-73204aaeb8d3", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:05d5ec12-3ebe-5cd0-b0c9-416f21680199", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for nuxt 4.0.3-tuxcare.1. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:43b47f95-da89-526f-9ec8-c80a6e3ad849", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:89080ba7-a8cd-5aab-a69d-da7287580081", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1f6d101d-58ad-5ee0-a18b-f67cc1fb163b", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6490f129-5d68-553a-a70d-7801eb86699f", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:86de38a7-540a-5b7b-9ca4-1a15c4647827", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3-tuxcare.1 of nuxt. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:76b672b7-fae9-58b8-b586-4dc7a0880f65", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:40491703-7a41-555c-9253-da9d7eafa890", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5b0f680c-7758-511c-a924-54334d04e4a0", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:497d6970-7045-5abb-84a4-6e87351335bc", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c8d33c55-bf49-5bda-8cb2-aaf066e824b0", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e51c8f42-ae26-507a-a4f7-08ed0f926f81", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3-tuxcare.1 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/nuxt@4.0.3-tuxcare.1" } ] }