{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:547b9c25-7ab5-5b4a-91a2-30e689f8c9cc",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare",
      "type": "library",
      "name": "aiohttp",
      "version": "3.8.6.post5+tuxcare",
      "purl": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:3f60ce3c-05c8-53de-901b-c5a222b9c07a",
      "id": "CVE-2023-49081",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2023-49081 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a01dba13-77d9-5841-8028-454c1973851f",
      "id": "CVE-2023-49082",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2023-49082 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:68e99824-5b04-5daf-b1bd-2fe9383c0bb1",
      "id": "CVE-2024-23334",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-23334 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:932fce01-b68b-5afe-862e-cfa87d1dc885",
      "id": "CVE-2024-23829",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-23829 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:227cbaf3-5e10-58d6-87d1-a65389ee8bb0",
      "id": "CVE-2024-27306",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-27306 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2d339766-4df5-56c9-a933-49c0ece3794a",
      "id": "CVE-2024-30251",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2024-30251 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0aeee880-8414-5078-99f6-c6aeab3d211e",
      "id": "CVE-2024-52304",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-52304 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:97330b33-8821-5cab-a451-10c1ba30ac59",
      "id": "CVE-2025-53643",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-53643 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:34546da9-b28b-5588-a10f-110dd3ea2f03",
      "id": "CVE-2025-69223",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69223 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1f0a3b36-deca-53d7-8f0e-d8d74040fa99",
      "id": "CVE-2025-69224",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69224 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:51b23eef-927a-5632-94af-b40bb48a331d",
      "id": "CVE-2025-69225",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69225 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d5902f83-ff24-5979-b836-da36b9d2f46a",
      "id": "CVE-2025-69226",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69226 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9de7b7f4-6527-5c81-aeb1-97feaf7f3a5f",
      "id": "CVE-2025-69227",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69227 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2a2a134c-5879-5562-8e4a-4302faebf6c9",
      "id": "CVE-2025-69228",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69228 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e540434b-1dc0-58a8-8708-1efabbbc56db",
      "id": "CVE-2025-69229",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69229 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:bb65e2e9-f2b6-55b4-8a49-909fc89727d0",
      "id": "CVE-2025-69230",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69230 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e2ad6b71-ec05-5259-8067-2a49f83b990b",
      "id": "CVE-2026-22815",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-22815 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b11c6746-2c1f-5816-af89-ff33dc5039e0",
      "id": "CVE-2026-34513",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34513 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:303fc95d-c8df-5dd1-bdd4-01975c59be39",
      "id": "CVE-2026-34514",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34514 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f7c222df-3278-5c48-9246-c82c9feeba2d",
      "id": "CVE-2026-34515",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-34515 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:fad686e0-e1f8-505b-a383-31e927cf3c6c",
      "id": "CVE-2026-34516",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34516 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f4b29e64-995a-5374-a550-27c66e5c3f5e",
      "id": "CVE-2026-34517",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34517 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6dce131c-64dd-5ce1-a4ae-a1b9789d20ca",
      "id": "CVE-2026-34518",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34518 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:78dbf8c4-48d3-5e92-b7d7-514e262f4bc6",
      "id": "CVE-2026-34519",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34519 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:de146ea2-5066-5782-a3ea-4baf0a9880a1",
      "id": "CVE-2026-34520",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34520 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:373f3ae2-5365-5551-aa46-594a862bdfe0",
      "id": "CVE-2026-34525",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34525 is fixed in version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b11ef170-8be8-53d0-ae55-33096d06f46e",
      "id": "CVE-2026-34993",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-34993 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cbc4406a-557b-5229-9056-bcd954b1c1a3",
      "id": "CVE-2026-47265",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-47265 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d02f56fc-7e8d-5ad2-b484-b8981ae18a48",
      "id": "CVE-2026-50269",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50269 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1e9a907f-dd08-5d4a-9bbd-be3a06b1380c",
      "id": "CVE-2026-54273",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54273 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9392a008-89df-5ff6-a870-f8dd90bd4e30",
      "id": "CVE-2026-54274",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54274 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9f323e3c-e5b5-56e7-9d45-51f5abea7bcb",
      "id": "CVE-2026-54275",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54275 does not affect version 3.8.6.post5+tuxcare of aiohttp. not_affected \u2014 CVE-2026-54275 does not affect aiohttp version 3.8.6.post6+tuxcare. The vulnerability requires the per-request server_hostname parameter feature, which was introduced in version 3.9.0 and does not exist in this version."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2a49451c-d7ac-511d-bdc0-34aa40d4e116",
      "id": "CVE-2026-54276",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54276 does not affect version 3.8.6.post5+tuxcare of aiohttp. not_affected \u2014 The target repository (aiohttp version 3.8.6.post6+tuxcare) does not contain the DigestAuthMiddleware component that is affected by CVE-2026-54276. This feature was introduced in aiohttp version 3.12, but the target runs version 3.8.6. Without DigestAuthMiddleware, the cross-origin credential disclosure vulnerability cannot manifest."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:fecf7e3f-a67c-5e07-892b-1d96147ac8e8",
      "id": "CVE-2026-54277",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54277 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8a3dd544-21c8-52d7-90b0-3525c76378f8",
      "id": "CVE-2026-54278",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54278 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:103dc50f-2e3a-5728-942d-53e3c11a03c7",
      "id": "CVE-2026-54279",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54279 affects version 3.8.6.post5+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d71db426-f2a5-54cb-8834-d395e1ae2e3a",
      "id": "CVE-2026-54280",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54280 does not affect version 3.8.6.post5+tuxcare of aiohttp. Version 3.8.6 is not vulnerable. Summary: CVE-2026-54280 does not affect aiohttp version 3.8.6.post6+tuxcare. The vulnerability is specific to versions that have the Payload.close() method (introduced in May 2025), which is absent in this version released in October 2023. The target version uses a different architecture where file-based payloads handle cleanup internally via finally blocks in their write() methods."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:pypi/aiohttp@3.8.6.post5+tuxcare"
    }
  ]
}