{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:53f35282-5fc9-5c44-a51c-4949ae450f01",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:composer/laravel/framework@5.6.40",
      "type": "library",
      "group": "laravel",
      "name": "framework",
      "version": "5.6.40",
      "purl": "pkg:composer/laravel/framework@5.6.40"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:ad558ce3-005f-5256-a83c-4152d8007299",
      "id": "CVE-2019-10913",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2019-10913 does not affect version 5.6.40 of laravel/framework. already_fixed \u2014 The target repository (laravel/framework 5.6.40-p1+tuxcare) vendors Symfony http-foundation v4.4.49, which contains the fix for CVE-2019-10913. The fix validates HTTP method override values using regex /^[A-Z]++$/D and rejects invalid methods by throwing SuspiciousOperationException. Laravel inherits this protection directly from Symfony's Request::getMethod() without overriding it."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:707acaf7-bf22-5f63-abc1-7c7a8c814a27",
      "id": "CVE-2019-18887",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2019-18887 does not affect version 5.6.40 of laravel/framework. already_fixed \u2014 Laravel Framework 5.6.40 already contains the fix for CVE-2019-18887. The URL signature validation uses constant-time comparison via hash_equals() to prevent timing attacks, which was added in commit e29b33fe66 on March 20, 2018."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a1375ca0-c2a3-59a8-818b-53ce9c4cc8f3",
      "id": "CVE-2019-18888",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2019-18888 does not affect version 5.6.40 of laravel/framework. already_fixed \u2014 CVE-2019-18888 (argument injection in MimeTypeGuesser) is already fixed in the target repository. Both Symfony FileBinaryMimeTypeGuesser implementations contain the protection that prepends './' to filenames starting with '-', preventing argument injection when calling the external 'file' command."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e0a4eb81-0802-5280-af52-a87a02a2e930",
      "id": "CVE-2021-43503",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2021-43503 is fixed in version 5.6.40 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:89d55146-0a02-508f-b84b-9b139d2556a2",
      "id": "CVE-2021-43617",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2021-43617 is a false positive for laravel/framework 5.6.40. GitHub advisory GHSA-364w-9g92-3grq is withdrawn \u2014 https://github.com/advisories/GHSA-364w-9g92-3grq"
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8ca5547b-17e4-5275-9aae-ce37ed2cd079",
      "id": "CVE-2022-24894",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2022-24894 does not affect version 5.6.40 of laravel/framework. not_affected \u2014 Laravel framework does not use Symfony's HttpCache component. While CVE-2022-24894 affects the symfony/http-kernel package (a Laravel dependency), the vulnerable HttpCache functionality is not utilized by Laravel's architecture. Laravel only uses Symfony's HttpKernelInterface and exception classes, not the HttpCache reverse proxy caching component."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8ad137e5-c1d1-54ae-bfb7-35344a88e835",
      "id": "CVE-2022-31279",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2022-31279 is a false positive for laravel/framework 5.6.40. CVE-2022-31279 was REJECTED/withdrawn by its CNA per NVD: \"DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue.\""
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c0acec0e-0e16-580f-bb5b-db0071a92f03",
      "id": "CVE-2024-28859",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-28859 affects version 5.6.40 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1ae8c4cc-796f-544e-889a-6a8637e13e61",
      "id": "CVE-2024-36610",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2024-36610 is fixed in version 5.6.40 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:be78282b-eb74-5b10-ad68-12886b900e1b",
      "id": "CVE-2024-50345",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-50345 affects version 5.6.40 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6ac19778-0092-5b2c-955f-581e4678aaa4",
      "id": "CVE-2024-51736",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-51736 affects version 5.6.40 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:62fda7c0-e6dd-5023-8d33-8809fdea1ecc",
      "id": "CVE-2025-22145",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-22145 is fixed in version 5.6.40 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b5b80b78-1da3-576e-8737-029c6828d463",
      "id": "CVE-2025-64500",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-64500 affects version 5.6.40 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1cbc0989-dc69-5543-a6c9-2a91cac22990",
      "id": "CVE-2026-24739",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-24739 affects version 5.6.40 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:397865fd-4fb8-5ccc-802e-c781eac3f5fa",
      "id": "CVE-2026-45065",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-45065 affects version 5.6.40 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a6c5ded4-b98b-5c24-acaa-c92e00945725",
      "id": "CVE-2026-48784",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-48784 does not affect version 5.6.40 of laravel/framework. not_affected \u2014 The vulnerable code pattern exists in vendored Symfony routing (vendor/symfony/routing/Generator/UrlGenerator.php lines 223-228), but Laravel's architecture uses its own URL generation implementation that does not have the vulnerability. No execution path connects user input to Symfony's vulnerable doGenerate() method."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9df327fd-cc1c-587b-be06-26795fb7a6d2",
      "id": "GHSA-5vg9-5847-vvmq",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-5vg9-5847-vvmq does not affect version 5.6.40 of laravel/framework. not_affected \u2014 Laravel 5.6.40-p1+tuxcare uses SwiftMailer 6.3.0, not the Symfony Mailer targeted by GHSA-5vg9-5847-vvmq. SwiftMailer's Egulias EmailValidator provides CRLF validation that prevents the vulnerability pattern from manifesting."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:86d7dc39-51ba-50d9-be82-ef6d5f2f80b4",
      "id": "GHSA-crmm-hgp2-wgrp",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-crmm-hgp2-wgrp does not affect version 5.6.40 of laravel/framework. not_affected \u2014 Laravel 5.6.40 does not have the vulnerable LocalFilesystemAdapter class or signed URL generation for local filesystem. The feature was introduced in Laravel 11+ (September 2024), years after this version. The FilesystemAdapter.temporaryUrl() method explicitly throws RuntimeException for local adapters - the feature is unsupported."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@5.6.40"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:composer/laravel/framework@5.6.40"
    }
  ]
}