{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:017a4db1-66ee-57f3-9869-8a8480960a88",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:composer/laravel/framework@5.5.50",
      "type": "library",
      "group": "laravel",
      "name": "framework",
      "version": "5.5.50",
      "purl": "pkg:composer/laravel/framework@5.5.50"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:6f69581e-2934-52ab-8764-4c1a8f79e749",
      "id": "CVE-2018-15133",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2018-15133 does not affect version 5.5.50 of laravel/framework. Version 5.5.50 is not vulnerable. Summary: The target Laravel Framework v5.5.50-p2+tuxcare is NOT vulnerable to CVE-2018-15133. While the X-XSRF-TOKEN decryption feature exists, the vulnerable code pattern does not. The fix has been properly applied: the decrypt() method is called with false as the second parameter (via static::serialized()), preventing unsafe deserialization of the X-XSRF-TOKEN header value."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2611a1f4-1f4e-52dd-9ab2-8b5f6e662d42",
      "id": "CVE-2019-10913",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2019-10913 does not affect version 5.5.50 of laravel/framework. not_affected \u2014 CVE-2019-10913 affects symfony/http-foundation, not laravel/framework. The vulnerable code exists in the Symfony dependency which is not present in this repository. Laravel's code uses Symfony's HTTP method override functionality but does not contain the vulnerable validation logic itself. The vulnerability would exist in the symfony/http-foundation package installed via Composer, not in Larave..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e5ac2e0a-6b8d-5ad5-b3ec-57d7ce7b5b76",
      "id": "CVE-2019-18887",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2019-18887 does not affect version 5.5.50 of laravel/framework. not_affected \u2014 Laravel 5.5.50 does not use Symfony's UriSigner class and does not have signed URL functionality. The CVE-2019-18887 timing attack vulnerability exists in symfony/http-kernel's UriSigner class, but this component is not utilized by Laravel 5.5's codebase. The framework declares symfony/http-kernel as a dependency but only uses it for exceptions and HttpKernelInterface, not for URI signing opera..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4bffa115-e5ab-5d4e-90ad-545708c708af",
      "id": "CVE-2019-18888",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2019-18888 does not affect version 5.5.50 of laravel/framework. not_affected \u2014 CVE-2019-18888 concerns argument injection in Symfony's MimeTypeGuesser component. The Laravel framework repository declares symfony/http-foundation as an external dependency but does not vendor its source code. The vulnerable MimeTypeGuesser component is not present in the Laravel repository. Laravel's own MIME type handling (Illuminate\\Http\\Testing\\MimeType) uses static extension-to-MIME-type..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3b341485-478d-5a86-8e75-c0d3e46cc8c4",
      "id": "CVE-2021-43503",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2021-43503 is fixed in version 5.5.50 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:94225e83-27bd-5b43-b033-524effe79dda",
      "id": "CVE-2022-24894",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2022-24894 does not affect version 5.5.50 of laravel/framework. not_affected \u2014 Laravel Framework 5.5.50 is not affected by CVE-2022-24894. While Laravel depends on symfony/http-kernel, it does not use Symfony's HttpCache component, which is where the vulnerability exists. Laravel implements its own HTTP kernel and does not cache HTTP responses at all, making the cookie header caching vulnerability impossible to exploit."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:14d6b4c7-5d74-559e-b995-4558bb4d9af9",
      "id": "CVE-2022-31279",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2022-31279 is a false positive for laravel/framework 5.5.50. CVE-2022-31279 was REJECTED/withdrawn by its CNA per NVD: \"DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.\""
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5ce4404c-6d5a-50e9-81fd-018f6b268bc7",
      "id": "CVE-2024-28859",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-28859 affects version 5.5.50 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:bac8a9fe-2446-596c-9a8f-3046b575fbc5",
      "id": "CVE-2024-50345",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-50345 affects version 5.5.50 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5408a2ac-c538-5f0e-863f-0297cc3da31d",
      "id": "CVE-2024-51736",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-51736 affects version 5.5.50 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a108424e-14ef-5a0b-b150-3d003173752d",
      "id": "CVE-2025-22145",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-22145 is fixed in version 5.5.50 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9bbe4430-6918-5566-b6a5-b7a3f53c3ba4",
      "id": "CVE-2025-64500",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2025-64500 does not affect version 5.5.50 of laravel/framework. already_fixed \u2014 Laravel's routing layer implements a defense mechanism in UriValidator that ensures all paths begin with '/' before route matching, preventing exploitation of the underlying Symfony CVE-2025-64500 vulnerability in Laravel's routing context."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0d896b49-e786-55df-b138-947a47913e5d",
      "id": "CVE-2026-24739",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-24739 affects version 5.5.50 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:373cef76-b282-57fb-9b4a-8de2bb0c76e6",
      "id": "CVE-2026-45065",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-45065 affects version 5.5.50 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:20e5e0d9-9760-5244-b58a-9ed5226a8eb7",
      "id": "CVE-2026-48784",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-48784 does not affect version 5.5.50 of laravel/framework. not_affected \u2014 CVE-2026-48784 specifically affects Symfony\\Component\\Routing\\Generator\\UrlGenerator::doGenerate() with its incomplete strtr-based dot-segment encoding pattern. Laravel Framework uses its own URL generation implementation (Illuminate\\Routing\\RouteUrlGenerator) that does not use Symfony's UrlGenerator class. While Laravel depends on symfony/routing (~3.3) as declared in composer.json, this depen..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d8fde27d-4f41-5943-8e6b-c5ffa27bfc50",
      "id": "GHSA-5vg9-5847-vvmq",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-5vg9-5847-vvmq does not affect version 5.5.50 of laravel/framework. not_affected \u2014 Laravel 5.5.50 uses SwiftMailer v6.3.0, not Symfony Mailer. The CVE explicitly describes a combination vulnerability requiring both Laravel's missing CRLF validation AND Symfony Mailer/Mime's specific handling of CRLF characters. Since the target uses a different mail library (SwiftMailer), the specific attack chain described in the CVE cannot be completed."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c18a96aa-0b2a-5ea6-b7f6-6ce4e975bb54",
      "id": "GHSA-6jvx-8ch9-j2jr",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-6jvx-8ch9-j2jr does not affect version 5.5.50 of laravel/framework. Version 5.5.50 is not vulnerable. Summary: The target repository (Laravel 5.5.50-p2+tuxcare) is NOT VULNERABLE to GHSA-6jvx-8ch9-j2jr (PHP object injection via cookie serialization). The repository has been patched with a global serialization disable mechanism that is more secure than the vendor's original selective fix."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:51d7db25-819e-5216-8e25-99f73dfbfd7f",
      "id": "GHSA-crmm-hgp2-wgrp",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-crmm-hgp2-wgrp affects version 5.5.50 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.5.50"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:composer/laravel/framework@5.5.50"
    }
  ]
}