{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0faee6cd-1e28-56f5-a681-93268946ec97", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:composer/craftcms/cms@3.9.15", "type": "library", "group": "craftcms", "name": "cms", "version": "3.9.15", "purl": "pkg:composer/craftcms/cms@3.9.15" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c16af5ba-79df-5d1a-b727-d021ac9e7aa6", "id": "CVE-2022-37251", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-37251 does not affect version 3.9.15 of craftcms/cms. already_fixed \u2014 CVE-2022-37251 (XSS via Drafts) has already been fixed in the target repository. The target contains the vendor's patches from upstream Craft CMS 3.7.55.2 (September 2022) that address this CVE." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:c365d7ce-524c-558f-9c09-1b14bf29e888", "id": "CVE-2023-31144", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2023-31144 does not affect version 3.9.15 of craftcms/cms. already_fixed \u2014 CVE-2023-31144 (XSS via unescaped slashes in JSON) is already fixed in the target repository. The fix - removing JSON_UNESCAPED_SLASHES from the default encoding options - is present in src/helpers/Json.php at lines 36-39, matching the vendor patch exactly. All call sites have been updated to use the safe default." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:ccbec685-a07c-5411-a07c-3ce13d2b5bf6", "id": "CVE-2023-33195", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2023-33195 does not affect version 3.9.15 of craftcms/cms. already_fixed \u2014 Craft CMS 3.9.15 is not affected by CVE-2023-33195. The vulnerability was specific to version 4.x's externalLink macro which doesn't exist in version 3.x. Version 3.9.15 uses a safer architecture where RSS feed data is passed via the 'text' parameter which is automatically HTML-encoded by tagFunction (Extension.php:1567), preventing XSS attacks." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:19aa1f7d-ff9a-5c68-8933-22b6f634705b", "id": "CVE-2023-33196", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2023-33196 does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 The target repository (Craft CMS 3.9.15) uses server-side Twig templates with built-in HTML auto-escaping, preventing XSS through file paths and volume URIs. The upstream vulnerability (CVE-2023-33196) affects version 4.4.7 which uses client-side TypeScript for HTML generation without escaping. This is a fundamental architectural difference between versions 3.x and 4.x." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:058075e0-66ea-5160-85bc-ed96d9277678", "id": "CVE-2023-33197", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2023-33197 does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 Craft CMS 3.9.15 is not affected by CVE-2023-33197. The vulnerable feature (session overview table with client-side HTML rendering of volume names) does not exist in version 3.9.15. The target uses server-side Twig rendering with automatic HTML escaping, and volume names are never sent to JavaScript for client-side HTML construction." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:d9267139-6fae-55c8-88af-42ba001852e1", "id": "CVE-2023-36260", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2023-36260 does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 The target repository is Craft CMS core (craftcms/cms), while the vulnerability CVE-2023-36260 exists in the Feed Me plugin (craftcms/feed-me), which is a separate third-party plugin codebase. The Feed Me plugin is not bundled with or integrated into Craft CMS core. The vulnerable code (FeedsController.php with actionSaveFeed method) does not exist anywhere in the target repository." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:e702d247-e8a7-53a1-bedf-132bbcddb4fb", "id": "CVE-2023-40035", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2023-40035 does not affect version 3.9.15 of craftcms/cms. already_fixed \u2014 CVE-2023-40035 has been fixed in the target repository. The target (Craft CMS 3.9.15-p3+tuxcare) contains both security fixes: (1) Component::cleanseConfig() method that removes malicious 'on ' and 'as ' configuration keys to prevent RCE via event handler/behavior injection, and (2) FileHelper::normalizePath() that strips 'file://' protocol wrappers. The cleanseConfig fix was added in version 3..." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:e52914fc-66ea-5a6c-8c69-04440ad778a8", "id": "CVE-2023-41892", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2023-41892 does not affect version 3.9.15 of craftcms/cms. already_fixed \u2014 The target Craft CMS 3.9.15 repository already contains the fix for CVE-2023-41892. The vulnerability (RCE via Yii2 'on ' and 'as ' configuration keys) was originally patched in Craft 4.4.15 (June 2023) and backported to Craft 3.9.4 (September 2023). The target version 3.9.15 includes the Component::cleanseConfig() method that filters malicious config keys before object instantiation, matching ..." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:8219bd77-f3e3-5f32-a8c2-4ae30e860159", "id": "CVE-2024-21622", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-21622 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:8d3915c0-9319-59c6-9a29-4a60e6e0c8f5", "id": "CVE-2024-32877", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-32877 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:e22e5efe-a38c-53bf-aeef-310a35b87a88", "id": "CVE-2024-41800", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-41800 does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 Craft CMS 3.9.15 does not contain TOTP authentication functionality. The vulnerability CVE-2024-41800 affects Craft CMS 5.x, which introduced TOTP-based two-factor authentication. The target version predates this feature entirely." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:787b4867-fa03-5b5b-a32c-fc839f96ec6e", "id": "CVE-2024-45411", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-45411 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:05b25dfb-4478-5a9e-8b6e-ab624d7d3aed", "id": "CVE-2024-51754", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-51754 does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 Craft CMS is not affected by CVE-2024-51754. While the project uses Twig 2.15.3 (which contains the vulnerability in its library code), the vulnerability cannot be exploited in Craft's configuration. The vulnerability requires a Twig sandbox security policy that blocks the __toString() method, but Craft's SecurityPolicy implementation is empty and blocks no methods. Additionally, the sandbox is..." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:5f242d6e-8b12-5867-8506-99a842571840", "id": "CVE-2024-51755", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-51755 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:adeb8bc1-1a56-5a47-9917-9852164a493c", "id": "CVE-2024-52293", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2024-52293 does not affect version 3.9.15 of craftcms/cms. already_fixed \u2014 The target repository (Craft CMS 3.9.15) already contains an equivalent and more comprehensive fix for the Twig SSTI arrow function injection vulnerability through prior TuxCare backports (PHPELSCVE-320). The defense mechanism '_checkFilterSupport()' blocks dangerous function names in Twig filter arrow parameters with a more extensive blocklist (26 functions) than the upstream patch (5 function..." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:2fdc0b05-eaf1-5303-a9a1-4af6532ca11a", "id": "CVE-2025-23209", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2025-23209 does not affect version 3.9.15 of craftcms/cms. Version 3.9.15 is not vulnerable. Summary: The target repository (Craft CMS 3.9.15-p3+tuxcare) is NOT vulnerable to CVE-2025-23209. While the CVE affects Craft 4 and 5, this Craft 3.x version has been patched by completely disabling the vulnerable database restore functionality rather than adding validation. The vulnerable code pattern (unsanitized use of dbBackupPath) no longer exists in the codebase." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:c0d6c69e-0a05-54f7-9597-045ec7718a0d", "id": "CVE-2025-32432", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-32432 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:97f8744c-72f1-518c-9a30-39d55c380dd4", "id": "CVE-2025-46731", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-46731 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:4f00d41b-0762-595c-9231-a8b1773bbaf6", "id": "CVE-2025-55166", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-55166 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:3babeff5-1533-50ae-9222-efa387f5b151", "id": "CVE-2025-57811", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-57811 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:9941afde-d13e-544b-9e3f-b45521d448e7", "id": "CVE-2025-68436", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-68436 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:307b227f-c094-507b-9710-8f221fc6fd6e", "id": "CVE-2025-68454", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-68454 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:8c742cd7-c545-515a-a7b4-14e9615951ff", "id": "CVE-2025-68455", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-68455 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:bd3d7274-c5e0-53b0-a89d-938cd67cf3fc", "id": "CVE-2026-25491", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25491 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:8d9001ff-4b90-59f1-9edd-9988e1b28a9f", "id": "CVE-2026-25494", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25494 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:5e941ab3-1a7c-5eb7-b9cb-2a2a31ecb1fd", "id": "CVE-2026-25496", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25496 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:4f9babc2-e2f7-5068-b8b2-50ae37695af3", "id": "CVE-2026-25498", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25498 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:4abe8c2b-6f19-5371-8756-8acf10b612a2", "id": "CVE-2026-27126", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27126 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:894d0706-bc18-5a73-9ce3-4662ea032271", "id": "CVE-2026-27129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27129 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:bfa2f89f-a410-5836-b061-50a5704d490c", "id": "CVE-2026-29113", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-29113 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:0bc21e83-5490-5a05-8c1a-9939dc6f9e06", "id": "CVE-2026-31857", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-31857 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:69da46f7-a719-54f4-b64a-30f645a4ae30", "id": "CVE-2026-31858", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-31858 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:2b077806-eef6-56ae-8456-36a3993b230f", "id": "CVE-2026-31859", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-31859 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:16556c26-c758-52ae-bdd0-5fe6dac5c9aa", "id": "CVE-2026-32262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32262 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:f139e55c-adef-5b88-98e3-368bf7381b0d", "id": "CVE-2026-32263", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-32263 does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 CVE-2026-32263 affects Craft CMS versions 5.6.0 to 5.9.11 in the EntryTypesController. The target repository is Craft CMS version 3.9.15, which uses a different architectural approach for entry type management. The specific vulnerability pattern (parse_str \u2192 Craft::configure without cleanseConfig in EntryTypesController) does not exist in version 3.x." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:13d1d90f-fc37-5d67-97a0-2de8b5cea244", "id": "CVE-2026-32264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-32264 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:fb05be95-9e01-5593-a6f9-ac922d3de476", "id": "CVE-2026-33051", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-33051 does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 Craft CMS 3.9.15 is not affected by CVE-2026-33051. The vulnerability affects versions 5.9.0-beta.1 through 5.9.10 and involves Template::raw() bypassing HTML escaping when rendering creator fullName in the revision/draft context menu. Version 3.9.15 uses a different architecture with Twig auto-escaping and jQuery .text() that prevent XSS attacks through automatic HTML entity encoding." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:a80f31ba-f122-5d37-8211-e296f7febd61", "id": "CVE-2026-33157", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33157 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:52bb9369-c5b8-5f10-8200-5b47ce2ebbe8", "id": "CVE-2026-33158", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33158 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:a995d4ba-0690-5248-b324-5991f0828214", "id": "CVE-2026-33159", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33159 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:143a22ac-a445-5410-b651-b50822391c23", "id": "CVE-2026-33160", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33160 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:d951c5b6-8e42-549d-9b41-fbf96f27fff5", "id": "CVE-2026-33161", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33161 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:1a8088b7-a565-505a-aa02-b3489cdc6ed0", "id": "CVE-2026-33162", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-33162 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:51a2f22b-fd94-53d0-9b40-2be9d1aeb1fe", "id": "CVE-2026-40476", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-40476 does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 The target repository (Craft CMS v3.1.17) does not contain the vulnerable code. The CVE-2026-40476 vulnerability exists in the GraphQL validation library's OverlappingFieldsCanBeMerged rule, which is implemented in the external dependency webonyx/graphql-php (~14.11.5). This dependency is not vendored or bundled in the Craft CMS repository; it is only declared in composer.json. The vulnerable O..." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:eee5f415-fbc4-5f78-a983-c1c4aa108c95", "id": "CVE-2026-41129", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41129 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:4c4abfc1-aff2-566d-886d-a437082c97af", "id": "CVE-2026-41130", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41130 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:5a479cc4-9377-5a2c-90d4-292968132285", "id": "GHSA-3m9m-24vh-39wx", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-3m9m-24vh-39wx affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:a4533470-29a7-5b48-946a-bd8c473c4eab", "id": "GHSA-44px-qjjc-xrhq", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-44px-qjjc-xrhq affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:044d05b8-bef2-5513-8696-4030abd07ade", "id": "GHSA-68jq-c3rv-pcrr", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-68jq-c3rv-pcrr does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 The target repository (Craft CMS) uses webonyx/graphql-php v14.11.10 for server-side GraphQL query validation, not graphql-js. The CVE GHSA-68jq-c3rv-pcrr specifically targets graphql-js v15.x (tested on v15.31.4), which is a JavaScript implementation. While Craft CMS includes graphql-js ^15.8.0 as a frontend dependency, it is used only for the GraphiQL admin UI that runs in the browser, not fo..." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:5f8202d6-a153-5c6c-8a41-d802942182a9", "id": "GHSA-6j87-m5qx-9fqp", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-6j87-m5qx-9fqp affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:7468364d-55f9-553c-a8a6-8e33c91e9956", "id": "GHSA-95wr-3f2v-v2wh", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-95wr-3f2v-v2wh affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:8c264269-3f0a-58c5-bdc5-5337b8865ede", "id": "GHSA-fc86-6rv6-2jpm", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-fc86-6rv6-2jpm affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:bbbd71c2-8f3f-5308-a037-c1295801946e", "id": "GHSA-g3hp-vvqf-8vw6", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-g3hp-vvqf-8vw6 affects version 3.9.15 of craftcms/cms." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }, { "bom-ref": "urn:uuid:d4665e7f-9d75-5843-9275-460d2b36eb23", "id": "GHSA-r7cg-qjjm-xhqq", "analysis": { "state": "not_affected", "detail": "Vulnerability GHSA-r7cg-qjjm-xhqq does not affect version 3.9.15 of craftcms/cms. not_affected \u2014 The vulnerable component (GraphQL\\Language\\Parser from webonyx/graphql-php) is not present in the Craft CMS repository. The vulnerability exists in a Composer dependency (webonyx/graphql-php:~14.11.5) whose source code is not vendored or bundled into the Craft CMS codebase." }, "affects": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] } ], "dependencies": [ { "ref": "pkg:composer/craftcms/cms@3.9.15" } ] }