{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:8bdf5294-77b9-5596-946a-3e4d45799a7f",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/protobufjs@6.11.6",
      "type": "library",
      "name": "protobufjs",
      "version": "6.11.6",
      "purl": "pkg:npm/protobufjs@6.11.6"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:3b072ad1-21b4-5c8d-9796-f81bd8264bb8",
      "id": "CVE-2026-44290",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-44290 affects version 6.11.6 of protobufjs."
      },
      "affects": [
        {
          "ref": "pkg:npm/protobufjs@6.11.6"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2d3dc103-8bbe-5ef5-b74c-77554776ed51",
      "id": "CVE-2026-44292",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-44292 affects version 6.11.6 of protobufjs."
      },
      "affects": [
        {
          "ref": "pkg:npm/protobufjs@6.11.6"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:48b446aa-ae5e-57e4-a8ce-bfb1b1ab147f",
      "id": "CVE-2026-44293",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-44293 affects version 6.11.6 of protobufjs."
      },
      "affects": [
        {
          "ref": "pkg:npm/protobufjs@6.11.6"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9a2b2b37-89c0-5263-b471-f4f0099d5d35",
      "id": "CVE-2026-44294",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-44294 affects version 6.11.6 of protobufjs."
      },
      "affects": [
        {
          "ref": "pkg:npm/protobufjs@6.11.6"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5e8f4f83-3fc9-5324-9ce9-b52bdf2745c0",
      "id": "CVE-2026-48712",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-48712 affects version 6.11.6 of protobufjs."
      },
      "affects": [
        {
          "ref": "pkg:npm/protobufjs@6.11.6"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:439e6d3c-f136-59fa-9923-2cb7010a9a42",
      "id": "CVE-2026-54269",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54269 affects version 6.11.6 of protobufjs."
      },
      "affects": [
        {
          "ref": "pkg:npm/protobufjs@6.11.6"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:22f9d3ea-d88d-5c1d-805d-3836587996b7",
      "id": "CVE-2026-54270",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54270 does not affect version 6.11.6 of protobufjs. not_affected \u2014 The target repository (protobufjs 6.11.6-tuxcare.3) is NOT AFFECTED by CVE-2026-54270. This vulnerability was introduced in version 8.2.0 when unknown field preservation was added. Version 6.11.6 simply discards unknown fields during decoding without storing them, which is semantically equivalent to the patched behavior (discardUnknown = true). The vulnerable code pattern (preserving unknown fi..."
      },
      "affects": [
        {
          "ref": "pkg:npm/protobufjs@6.11.6"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/protobufjs@6.11.6"
    }
  ]
}