{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5dc8ba40-19dd-5215-a5a2-e6300689c253", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/nuxt@4.0.3", "type": "library", "name": "nuxt", "version": "4.0.3", "purl": "pkg:npm/nuxt@4.0.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:01df6a81-a85b-5108-8c90-542f0f6f42c5", "id": "CVE-2022-25852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-25852 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:d910d65b-5869-56c2-a305-5bbe8662c162", "id": "CVE-2026-25128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25128 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:d7616731-6536-5e0f-b229-8f9f48edb3b9", "id": "CVE-2026-32887", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32887 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:1f215abc-9699-59db-ada5-2ea26b452229", "id": "CVE-2026-33128", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33128 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:dad758da-dd33-5a74-9312-d7f0980fc775", "id": "CVE-2026-33129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33129 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:c2d1ae30-2b00-57e5-8030-dc1c911bef31", "id": "CVE-2026-33131", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33131 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:fe21402c-5167-5b8f-b106-eeb8b47edf92", "id": "CVE-2026-33490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33490 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:edc03f06-a3dd-5406-a2ab-6afa63b55012", "id": "CVE-2026-39363", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39363 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:8fa3f9f9-91f4-522e-9e1c-178699b9466a", "id": "CVE-2026-39364", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39364 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:e55b9686-7b91-5042-bfc5-3119339cf734", "id": "CVE-2026-39365", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39365 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:8c11bb11-ce7a-5823-8232-403a9485e7a8", "id": "CVE-2026-39406", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39406 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:46e580d2-4c01-5cf2-b867-d4d02301bdc0", "id": "CVE-2026-41305", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41305 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:3d1c050f-7844-51ba-94fa-7dfca6de5f5b", "id": "CVE-2026-42338", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-42338 is a false positive for nuxt 4.0.3. false_positive \u2014 CVE-2026-42338 concerns the 'ip-address' npm package, but this repository is the 'nuxt' framework. The affected component (ip-address library) is completely absent from the repository - not as the project itself, not as vendored/bundled code, and not as a declared dependency. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:bd8f6269-05e3-5d52-8a73-c00306d90237", "id": "CVE-2026-44372", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44372 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:02d2bfb7-b521-5589-a41d-a1cb33edc8c0", "id": "CVE-2026-44373", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44373 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:226f0ddf-696c-563d-8e6b-1ea229615d6a", "id": "CVE-2026-45670", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-45670 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:58355842-4d2b-527a-b7ba-0c7f38d48ffd", "id": "CVE-2026-45736", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-45736 is a false positive for nuxt 4.0.3. false_positive \u2014 CVE-2026-45736 is a wrong-project match. The advisory concerns the 'ws' WebSocket library for Node.js, but the target repository is Nuxt.js framework. The ws library's source code (specifically lib/sender.js containing the vulnerable WebSocket close implementation) does not exist anywhere in this repository. While ws appears as a transitive dependency in pnpm-lock.yaml, no ws source code is pre..." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:cbcbb178-3e14-5d54-9ae7-9937fbda0fbd", "id": "CVE-2026-47200", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-47200 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:af1366fe-4d04-5f57-bc2d-340c782d818b", "id": "CVE-2026-49993", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-49993 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:1d7f1d2c-00d6-5af4-a7a9-a6474fcaeb6a", "id": "CVE-2026-53571", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53571 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:a091ce9f-976c-52ae-b535-cff8e733f1e9", "id": "CVE-2026-53721", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53721 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:5c0aaaad-8806-50c7-bb2c-e9c9f6c46600", "id": "CVE-2026-53722", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-53722 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:0bee595d-b57d-52eb-a016-114a28608e18", "id": "CVE-2026-54285", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2026-54285 is a false positive for nuxt 4.0.3. false_positive \u2014 This CVE concerns @opentelemetry/core (OpenTelemetry JavaScript package), but the target repository is Nuxt (Vue.js framework). The affected component W3CBaggagePropagator is completely absent from this repository. This is a wrong-project match." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:b0ca29be-175c-51cf-9f48-2407febffe3a", "id": "CVE-2026-56326", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-56326 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:61ea6369-9555-5777-a885-b8b54a5d1e19", "id": "GHSA-4hxc-9384-m385", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-4hxc-9384-m385 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:06a15a52-1556-57ce-9922-a7d81a4cbd14", "id": "GHSA-534h-c3cw-v3h9", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-534h-c3cw-v3h9 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:192e7e22-c203-5f20-b4e2-31ba367d4d05", "id": "GHSA-c9cv-mq2m-ppp3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-c9cv-mq2m-ppp3 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:42fb04e4-93a6-5007-ba2f-4660d22655a2", "id": "GHSA-gv7w-rqvm-qjhr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-gv7w-rqvm-qjhr does not affect version 4.0.3 of nuxt. not_affected \u2014 The target Nuxt repository uses esbuild as a Node.js dependency via npm/pnpm, not the vulnerable Deno module. The vulnerability (GHSA-gv7w-rqvm-qjhr) is specific to esbuild's Deno distribution (lib/deno/mod.ts) which downloads binaries at runtime without integrity verification. The Node.js distribution (lib/npm/node-install.ts) contains robust SHA-256 integrity checks and is not affected. This ..." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:0fbd2fdb-74e5-52a1-a21c-e62e1799517b", "id": "GHSA-m3q2-p4fw-w38m", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-m3q2-p4fw-w38m affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:267e83b1-08ab-5312-a9c9-45a937065d95", "id": "GHSA-q5pr-72pq-83v3", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-q5pr-72pq-83v3 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:42317353-952b-5ec8-b5da-0b6c811abff2", "id": "GHSA-rq7w-g337-39qq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-rq7w-g337-39qq affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:c397fef9-7fa6-5942-a145-82f573d1e987", "id": "GHSA-w5hq-g745-h8pq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-w5hq-g745-h8pq affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:a626b9aa-d1f2-5b7b-878f-5901e49c16fc", "id": "GHSA-wr4h-v87w-p3r7", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-wr4h-v87w-p3r7 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }, { "bom-ref": "urn:uuid:5cb9ea10-6303-56ef-9361-66f417921111", "id": "GHSA-x7mm-9vvv-64w8", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-x7mm-9vvv-64w8 affects version 4.0.3 of nuxt." }, "affects": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/nuxt@4.0.3" } ] }