{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:96a8cc4b-cff8-51b2-8793-efa150677619",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:composer/laravel/framework@8.12.0",
      "type": "library",
      "group": "laravel",
      "name": "framework",
      "version": "8.12.0",
      "purl": "pkg:composer/laravel/framework@8.12.0"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:472d7eb1-a53c-52fd-91d3-6a5b1e337541",
      "id": "CVE-2021-43617",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2021-43617 is a false positive for laravel/framework 8.12.0. GitHub advisory GHSA-364w-9g92-3grq is withdrawn \u2014 https://github.com/advisories/GHSA-364w-9g92-3grq"
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.0"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b3d85764-5eb2-5eb6-a450-82a7de869a64",
      "id": "CVE-2025-46734",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2025-46734 does not affect version 8.12.0 of laravel/framework. not_affected \u2014 Laravel Framework is not affected by CVE-2025-46734. While Laravel depends on league/commonmark, it does not use the vulnerable Attributes extension. The XSS vulnerability exists in the Attributes extension, but Laravel only enables the TableExtension in its Markdown processing. The vulnerable code path is never executed in Laravel's implementation."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.0"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:438c9a6f-8cec-5e8e-80bc-a183a65d18b4",
      "id": "CVE-2026-30838",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-30838 does not affect version 8.12.0 of laravel/framework. not_affected \u2014 CVE-2026-30838 describes a regex bypass vulnerability in the league/commonmark DisallowedRawHtml extension. Laravel framework depends on league/commonmark but does not use the DisallowedRawHtml extension at all. The vulnerable code path (the extension's tag-recognition regex) is never executed in Laravel's markdown processing. Therefore, the specific vulnerability does not affect this codebase."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.0"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cf8503ce-3b77-5203-9147-6a75401d832c",
      "id": "CVE-2026-33347",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-33347 does not affect version 8.12.0 of laravel/framework. CVE-2026-33347 in league/commonmark 1.6.7 is not affected. Refer to league/commonmark 1.6.7 for details."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.0"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9e91cd58-e963-5434-a602-73eefaba221a",
      "id": "GHSA-5vg9-5847-vvmq",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-5vg9-5847-vvmq does not affect version 8.12.0 of laravel/framework. not_affected \u2014 Laravel 8.12.0 uses SwiftMailer as its mail transport library, while GHSA-5vg9-5847-vvmq specifically targets a vulnerability in the combination of Laravel's email validation with Symfony Mailer and Symfony Mime (used in Laravel 9+). The patches exclusively modify Symfony Mailer code paths that do not exist in Laravel 8.x. No backports have been issued for SwiftMailer-based Laravel versions (6...."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.0"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f7e82e80-79ce-5c34-b7bc-725ea6a7cbe8",
      "id": "GHSA-c2pc-g5qf-rfrf",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-c2pc-g5qf-rfrf does not affect version 8.12.0 of laravel/framework. not_affected \u2014 GHSA-c2pc-g5qf-rfrf is a polynomial time complexity vulnerability in league/commonmark (fixed in v2.6.0). The target repository (laravel/framework v8.12.0-p3+tuxcare) declares league/commonmark ^1.3 as a Composer dependency but does not contain any league/commonmark source code. The vulnerable parsing algorithms exist only in the external league/commonmark library, not in Laravel's codebase. Th..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.0"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:938b6c95-0c7c-5c1f-8642-a842e663b085",
      "id": "GHSA-crmm-hgp2-wgrp",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-crmm-hgp2-wgrp does not affect version 8.12.0 of laravel/framework. not_affected \u2014 Laravel 8.12.0-p3+tuxcare does not have the vulnerable LocalFilesystemAdapter class or local filesystem temporary URL generation feature. The vulnerability exists in Laravel 11+ where LocalFilesystemAdapter was introduced. The target version uses FilesystemAdapter which explicitly rejects temporary URL generation for local filesystem adapters with a RuntimeException."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.0"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:composer/laravel/framework@8.12.0"
    }
  ]
}