{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:4758ebcb-a57d-5f79-9480-fa8471921c17", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/undici@5.28.5", "type": "library", "name": "undici", "version": "5.28.5", "purl": "pkg:npm/undici@5.28.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:601c398d-86e7-5dfb-bef5-974ced9323ea", "id": "CVE-2024-24750", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-24750 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:d1f0939a-c314-537c-a462-a89a3550adb6", "id": "CVE-2024-24758", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-24758 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:fb817201-2b9a-58a9-87df-b929a89fa66f", "id": "CVE-2025-47279", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-47279 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:e23b6a15-1c11-5588-a3ea-a14ccd262235", "id": "CVE-2026-11525", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-11525 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:86623b7f-b673-5155-b306-8498ab856673", "id": "CVE-2026-12151", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-12151 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:59a3822c-fc72-56be-845c-88cf9b94736f", "id": "CVE-2026-1526", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-1526 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:ded2aaee-f07e-5327-89bb-0ae1830229dd", "id": "CVE-2026-1527", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-1527 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:b9748946-ed73-56f7-a753-768d43cc2029", "id": "CVE-2026-22036", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22036 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:3b00b029-614e-5dc8-88b3-43a59d46e33f", "id": "CVE-2026-2229", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-2229 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:12d63ee1-d6a3-557e-a007-5887f44050c7", "id": "CVE-2026-6733", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-6733 affects version 5.28.5 of undici." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] }, { "bom-ref": "urn:uuid:85f68cdc-78ea-5dce-8b52-f898148683ac", "id": "CVE-2026-9679", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-9679 does not affect version 5.28.5 of undici. not_affected \u2014 Target repository version 5.28.5-tuxcare.4 is not affected by CVE-2026-9679. The vulnerability was introduced in undici 7.0.0 via commit dac8e73d (PR #3789), which added percent-decoding of cookie values using querystring.unescape(). Git history analysis confirms this commit is NOT an ancestor of the target's current HEAD. The target's cookie parser at lib/cookies/parse.js has never contained p..." }, "affects": [ { "ref": "pkg:npm/undici@5.28.5" } ] } ], "dependencies": [ { "ref": "pkg:npm/undici@5.28.5" } ] }