{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:58d39c18-092b-5714-9221-c4a0a12d965c",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:composer/laravel/framework@5.4.36",
      "type": "library",
      "group": "laravel",
      "name": "framework",
      "version": "5.4.36",
      "purl": "pkg:composer/laravel/framework@5.4.36"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:8049dd64-d115-5d2b-b468-9f5c96f9a29e",
      "id": "CVE-2018-1000162",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2018-1000162 affects version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:44957481-adda-5959-ab13-fe1fb9d93fd5",
      "id": "CVE-2018-14773",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2018-14773 does not affect version 5.4.36 of laravel/framework. already_fixed \u2014 The target Laravel framework repository uses Symfony HttpFoundation v3.4.47 (tracked in vendor directory), which contains the fix for CVE-2018-14773. The vulnerable code that processed X_ORIGINAL_URL and X_REWRITE_URL headers has been removed from the prepareRequestUri() method. The fix was introduced in Symfony v3.4.14, and the target's v3.4.47 is well beyond that version."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3e3721f8-e217-55e4-8c03-f4ce232c980f",
      "id": "CVE-2019-10905",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2019-10905 affects version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c48bd2d9-2101-593c-bd27-7f66db09c39f",
      "id": "CVE-2019-10913",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2019-10913 does not affect version 5.4.36 of laravel/framework. already_fixed \u2014 CVE-2019-10913 has been fixed in the target repository. The vulnerability involved accepting invalid HTTP method overrides with special characters, numbers, or control characters. The fix (lines 1379-1381 of vendor/symfony/http-foundation/Request.php) validates that non-standard method names contain only uppercase letters A-Z using the regex /^[A-Z]++$/D, and throws a SuspiciousOperationExcepti..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a45919de-10fd-5c99-b9a7-48b0a6e19802",
      "id": "CVE-2019-18887",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2019-18887 does not affect version 5.4.36 of laravel/framework. not_affected \u2014 Laravel framework does not use Symfony's UriSigner component. While symfony/http-kernel v3.4.49 is a declared dependency and contains UriSigner with the timing attack fix (hash_equals), Laravel never enables FragmentListener or uses fragment rendering functionality that would invoke UriSigner validation. The vulnerability code path does not exist in Laravel's execution flow."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2e8ff324-a8c2-5ed8-af86-f437a188bf57",
      "id": "CVE-2019-18888",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2019-18888 does not affect version 5.4.36 of laravel/framework. already_fixed \u2014 The target repository (Laravel Framework 5.4.36-p4+tuxcare) vendors Symfony HTTP Foundation v3.4.47, which contains the fix for CVE-2019-18888. The vulnerability involved argument injection when filenames starting with '-' are passed to the MimeTypeGuesser's FileBinaryMimeTypeGuesser component. The fix prepends './' to such paths before executing shell commands, preventing them from being inter..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:bce8adf7-d2ff-536d-9ec7-e182a243b12b",
      "id": "CVE-2021-32708",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2021-32708 is fixed in version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c9d85127-c2cc-585a-ad10-0ba2b2eec8a0",
      "id": "CVE-2021-43503",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2021-43503 is fixed in version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:30f3d0d5-1cf2-54fc-a45d-5772e654c557",
      "id": "CVE-2021-43617",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2021-43617 is a false positive for laravel/framework 5.4.36. GitHub advisory GHSA-364w-9g92-3grq is withdrawn \u2014 https://github.com/advisories/GHSA-364w-9g92-3grq"
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9e248ac5-32c4-5ff1-ac36-17f36de3f564",
      "id": "CVE-2022-24894",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2022-24894 affects version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:34ce4c96-e1da-5df0-a56b-540e1a3b4dca",
      "id": "CVE-2022-31279",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2022-31279 is a false positive for laravel/framework 5.4.36. CVE-2022-31279 was REJECTED/withdrawn by its CNA per NVD: \"DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.\""
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:153c690d-1d49-5561-ab82-886c51d6dca8",
      "id": "CVE-2024-28859",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2024-28859 is fixed in version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:116b1d7f-0525-5922-adfe-68fcb429a0a8",
      "id": "CVE-2024-36610",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2024-36610 is a false positive for laravel/framework 5.4.36."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:076f7b5f-da07-5b68-8515-c80f7fd82cd2",
      "id": "CVE-2024-50345",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-50345 affects version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a6e53cd9-dae9-5d9a-a82c-a9cb2adff0a6",
      "id": "CVE-2024-51736",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-51736 affects version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8ac7723b-b461-585e-9ae5-3a5e5629bd36",
      "id": "CVE-2025-22145",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-22145 is fixed in version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:911174fc-2acf-5f59-b760-123d7f566b04",
      "id": "CVE-2025-64500",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-64500 affects version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:044acb83-cd23-5671-98b8-db9b05f4f2fb",
      "id": "CVE-2026-24739",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-24739 affects version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:27d87dd9-55a3-5e04-aabf-4b0e3a799505",
      "id": "GHSA-5vg9-5847-vvmq",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-5vg9-5847-vvmq does not affect version 5.4.36 of laravel/framework. not_affected \u2014 Laravel 5.4.36-p4+tuxcare uses SwiftMailer, not Symfony Mailer. The CVE (GHSA-5vg9-5847-vvmq) is specific to 'how Symfony Mailer and Symfony Mime handle certain character sequences'. SwiftMailer has RFC 2822 grammar validation that should reject CRLF characters in email addresses (except as proper folding whitespace), providing a different defense mechanism than what the Laravel 12.x/13.x patch..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9e3a9238-f48c-5f8a-9697-474cac887af6",
      "id": "GHSA-crmm-hgp2-wgrp",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-crmm-hgp2-wgrp does not affect version 5.4.36 of laravel/framework. not_affected \u2014 Laravel 5.4.36 is not affected by GHSA-crmm-hgp2-wgrp. The vulnerability requires the LocalFilesystemAdapter with temporary signed URL support via temporarySignedRoute(), a feature introduced in Laravel 9+. Laravel 5.4 uses FilesystemAdapter which explicitly throws RuntimeException for local storage temporary URLs, stating 'This driver does not support creating temporary URLs.' The vulnerable c..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2960357b-b870-574f-80cd-f177b14e14b2",
      "id": "GHSA-f57v-q966-7fh6",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-f57v-q966-7fh6 affects version 5.4.36 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.4.36"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:composer/laravel/framework@5.4.36"
    }
  ]
}