{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:47688084-5790-542f-b305-9be1444ef6c0",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:composer/laravel/framework@8.12.1",
      "type": "library",
      "group": "laravel",
      "name": "framework",
      "version": "8.12.1",
      "purl": "pkg:composer/laravel/framework@8.12.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:78cc4df7-b3a4-5f56-9456-fc512ad99219",
      "id": "CVE-2021-43617",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2021-43617 is a false positive for laravel/framework 8.12.1. GitHub advisory GHSA-364w-9g92-3grq is withdrawn \u2014 https://github.com/advisories/GHSA-364w-9g92-3grq"
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:894c81f2-5994-542d-8e41-57632aa4efbf",
      "id": "CVE-2025-46734",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2025-46734 does not affect version 8.12.1 of laravel/framework. not_affected \u2014 Laravel framework is not affected by CVE-2025-46734. While the framework uses league/commonmark as a dependency, it does NOT enable or use the Attributes extension where the XSS vulnerability exists. Laravel only uses the TableExtension in its hardcoded Markdown::parse() method, and there is no mechanism for the vulnerable Attributes extension to be loaded through framework code."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8698ffeb-a1f4-51b9-8183-7281e693977b",
      "id": "CVE-2026-30838",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-30838 does not affect version 8.12.1 of laravel/framework. not_affected \u2014 Laravel Framework 8.12.1 uses league/commonmark ^1.3 as a dependency but does NOT use the DisallowedRawHtml extension. CVE-2026-30838 is specific to a regex bypass vulnerability in the DisallowedRawHtml extension. Since Laravel does not use this extension anywhere in its codebase, it is not affected by this vulnerability."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cbf1ac83-2d9b-5ffb-a949-7e7c42fcf331",
      "id": "CVE-2026-33347",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-33347 does not affect version 8.12.1 of laravel/framework. CVE-2026-33347 in league/commonmark 1.6.7 is not affected. Refer to league/commonmark 1.6.7 for details."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a434f674-e910-5d04-8120-c1f748c21a0c",
      "id": "GHSA-5vg9-5847-vvmq",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability GHSA-5vg9-5847-vvmq affects version 8.12.1 of laravel/framework."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ec7a6e37-ac26-5bf4-93b3-b9dc2b74656c",
      "id": "GHSA-c2pc-g5qf-rfrf",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-c2pc-g5qf-rfrf does not affect version 8.12.1 of laravel/framework. not_affected \u2014 The target repository (laravel/framework 8.12.1-p1+tuxcare) is not affected by GHSA-c2pc-g5qf-rfrf because the vulnerable code (polynomial time complexity in Markdown parsing algorithms) does not exist in this repository. The vulnerability exists in the league/commonmark library (< 2.6.0), which is declared as an external dependency but not vendored/bundled in the Laravel codebase. Laravel's co..."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f394b222-0205-5603-945a-9e27ce7ea9c6",
      "id": "GHSA-crmm-hgp2-wgrp",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability GHSA-crmm-hgp2-wgrp does not affect version 8.12.1 of laravel/framework. not_affected \u2014 Laravel 8.12.1 is not affected by GHSA-crmm-hgp2-wgrp. The vulnerability concerns ambiguous URL parsing in local filesystem temporary signed URLs, but Laravel 8.x does not have the local filesystem signed URL feature. The temporaryUrl() method throws RuntimeException for local storage adapters. This feature was introduced in Laravel 11+/12.x."
      },
      "affects": [
        {
          "ref": "pkg:composer/laravel/framework@8.12.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:composer/laravel/framework@8.12.1"
    }
  ]
}