{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:9c1ca8af-2a67-5e49-9996-1605e55ff08f",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare",
      "type": "library",
      "name": "aiohttp",
      "version": "3.8.6.post6+tuxcare",
      "purl": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:3270a5ad-74eb-5998-b5d3-a8618a34bb58",
      "id": "CVE-2023-49081",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2023-49081 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:63410774-9302-5feb-95bb-a8bc54d9b6bd",
      "id": "CVE-2023-49082",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2023-49082 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:fbb0abd9-ae4d-5e20-81e8-09c74a5f14df",
      "id": "CVE-2024-23334",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-23334 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6cd1b29b-0c5d-5f66-9c0e-5be9387ccef9",
      "id": "CVE-2024-23829",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-23829 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:88c182f3-c01f-5288-a238-8268f7aedec7",
      "id": "CVE-2024-27306",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-27306 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b1ff4f8b-1042-5039-9bde-153e7c963fb7",
      "id": "CVE-2024-30251",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2024-30251 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:50fd3b73-a8fa-5c6f-a8c9-8742db102333",
      "id": "CVE-2024-52304",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2024-52304 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:050574c3-3ef3-5be1-b5c6-faaa46a500b1",
      "id": "CVE-2025-53643",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-53643 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3de0c766-87f4-5fd0-a30c-0b3fb0ea2479",
      "id": "CVE-2025-69223",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69223 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:47519f22-5ba6-5e75-a344-f8f52d3f718c",
      "id": "CVE-2025-69224",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69224 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:dd3a270e-9287-5a2b-be8d-c48280492805",
      "id": "CVE-2025-69225",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69225 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:513c00f3-827c-5f2c-b5a7-29d76fd4269d",
      "id": "CVE-2025-69226",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69226 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ece83d27-50bc-5e4e-a969-5b23c45da220",
      "id": "CVE-2025-69227",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69227 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:86a45a1d-933e-57fc-98f9-c78110958142",
      "id": "CVE-2025-69228",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69228 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d2745d3e-1a18-53ec-968e-3a62eb81a83b",
      "id": "CVE-2025-69229",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69229 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:facd2b6e-7b40-5287-b132-673619014af0",
      "id": "CVE-2025-69230",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-69230 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:fff0296f-00b6-51e2-b72d-a676e445bda0",
      "id": "CVE-2026-22815",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-22815 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:76f06dab-57e9-5a15-983d-4ffe462206aa",
      "id": "CVE-2026-34513",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34513 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:26d67d30-c0ee-56f2-b560-aa9b3f07c6c4",
      "id": "CVE-2026-34514",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34514 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d91d957e-7864-554b-9d1d-c70212006517",
      "id": "CVE-2026-34515",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-34515 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2a4d1c3d-4305-52ea-bfd7-92cae813f6bd",
      "id": "CVE-2026-34516",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34516 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f99f4671-3660-572c-9f74-ee9b36c35d7e",
      "id": "CVE-2026-34517",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34517 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cbcb4a16-46ef-5023-9c1c-abd7cc43dc98",
      "id": "CVE-2026-34518",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34518 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:30d02463-443e-57d5-ba24-3f78ea9f91a9",
      "id": "CVE-2026-34519",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34519 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:586e8d4a-7142-510d-aaaf-925a6bd95154",
      "id": "CVE-2026-34520",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34520 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:77c14a09-d309-5bfb-92ab-549aec37afc8",
      "id": "CVE-2026-34525",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-34525 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2a0e1c16-c7c0-599f-9caa-742992602b55",
      "id": "CVE-2026-34993",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-34993 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cf3f1b4c-0f1f-58fe-ac44-b1feba03ecd1",
      "id": "CVE-2026-47265",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-47265 is fixed in version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:aeb05a59-aa17-5381-9eed-a76f7bfca730",
      "id": "CVE-2026-50269",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50269 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9e40b4e9-1546-551c-b7d1-fc7ef04cf7ca",
      "id": "CVE-2026-54273",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54273 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c1f357a8-6276-5f59-815a-eee3185e2260",
      "id": "CVE-2026-54274",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54274 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:542766a7-5849-57ae-80ff-8b0e99cb4fa7",
      "id": "CVE-2026-54275",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54275 does not affect version 3.8.6.post6+tuxcare of aiohttp. not_affected \u2014 CVE-2026-54275 does not affect aiohttp version 3.8.6.post6+tuxcare. The vulnerability requires the per-request server_hostname parameter feature, which was introduced in version 3.9.0 and does not exist in this version."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ec6ffb77-b493-5913-948f-c748c18f9ad4",
      "id": "CVE-2026-54276",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54276 does not affect version 3.8.6.post6+tuxcare of aiohttp. not_affected \u2014 The target repository (aiohttp version 3.8.6.post6+tuxcare) does not contain the DigestAuthMiddleware component that is affected by CVE-2026-54276. This feature was introduced in aiohttp version 3.12, but the target runs version 3.8.6. Without DigestAuthMiddleware, the cross-origin credential disclosure vulnerability cannot manifest."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6f9ccdce-a03b-5e6b-8259-1c63612390da",
      "id": "CVE-2026-54277",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54277 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ba98dc38-06ff-53a7-b092-b1af75ae2215",
      "id": "CVE-2026-54278",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54278 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:570a4823-4a3a-56e6-9364-21233de5ba3a",
      "id": "CVE-2026-54279",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54279 affects version 3.8.6.post6+tuxcare of aiohttp."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c54e2eac-fcf1-5736-909b-54f2e8b335ac",
      "id": "CVE-2026-54280",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54280 does not affect version 3.8.6.post6+tuxcare of aiohttp. Version 3.8.6 is not vulnerable. Summary: CVE-2026-54280 does not affect aiohttp version 3.8.6.post6+tuxcare. The vulnerability is specific to versions that have the Payload.close() method (introduced in May 2025), which is absent in this version released in October 2023. The target version uses a different architecture where file-based payloads handle cleanup internally via finally blocks in their write() methods."
      },
      "affects": [
        {
          "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:pypi/aiohttp@3.8.6.post6+tuxcare"
    }
  ]
}