{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:36e6daaf-de43-5f35-9893-805512a8cf63", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:pypi/fastapi@0.104.1", "type": "library", "name": "fastapi", "version": "0.104.1", "purl": "pkg:pypi/fastapi@0.104.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ee8f531c-204f-5410-8a1b-84fc7f5a46b7", "id": "CVE-2024-47874", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-47874 affects version 0.104.1 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] }, { "bom-ref": "urn:uuid:d8f7ac1e-b072-577d-8db5-fe057e0181af", "id": "CVE-2025-54121", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-54121 affects version 0.104.1 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] }, { "bom-ref": "urn:uuid:0054d9eb-ae63-5289-bdc9-d10c93404be8", "id": "CVE-2025-62727", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-62727 affects version 0.104.1 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] }, { "bom-ref": "urn:uuid:1697962a-bb2d-502b-b02e-0d1cc756441f", "id": "CVE-2026-48710", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-48710 affects version 0.104.1 of fastapi." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] }, { "bom-ref": "urn:uuid:e6efd1ce-c85f-5f9c-a055-03675f4d16db", "id": "CVE-2026-48817", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-48817 does not affect version 0.104.1 of fastapi. not_affected \u2014 FastAPI's code is not affected by CVE-2026-48817. The vulnerability exists in Starlette's HTTPEndpoint class, which is not present in this repository (Starlette is a dependency, not vendored), not used anywhere in FastAPI's codebase, and not exposed in FastAPI's public API. FastAPI uses its own APIRoute/APIRouter classes with function-based endpoints that do not exhibit the vulnerable method di..." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] }, { "bom-ref": "urn:uuid:2739fb06-b1b2-58de-ad9f-66e3f0a035d5", "id": "CVE-2026-48818", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-48818 does not affect version 0.104.1 of fastapi. not_affected \u2014 FastAPI does not contain the vulnerable code. The CVE-2026-48818 vulnerability exists in Starlette's StaticFiles.lookup_path() implementation, which FastAPI re-exports as a convenience but does not implement or modify. The target repository (FastAPI v0.104.1) only contains a single-line re-export from Starlette and no implementation of the vulnerable code path." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] }, { "bom-ref": "urn:uuid:fc84f736-dd7e-5944-b765-5678809e2c7c", "id": "CVE-2026-54283", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54283 does not affect version 0.104.1 of fastapi. not_affected \u2014 The FastAPI repository is not affected by CVE-2026-54283. The vulnerability exists in Starlette's form parsing implementation, not in FastAPI's code. FastAPI does not vendor, bundle, or implement its own form parser - it delegates all form parsing to the Starlette dependency." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] }, { "bom-ref": "urn:uuid:f33c595c-4d4d-563f-b60b-cbe3c0ec6dd5", "id": "GHSA-93gm-qmq6-w238", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-93gm-qmq6-w238 is a false positive for fastapi 0.104.1." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] }, { "bom-ref": "urn:uuid:0d3fa59a-c14b-57fd-b403-1ec078d0d2ab", "id": "GHSA-qf9m-vfgh-m389", "analysis": { "state": "false_positive", "detail": "Vulnerability GHSA-qf9m-vfgh-m389 is a false positive for fastapi 0.104.1." }, "affects": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] } ], "dependencies": [ { "ref": "pkg:pypi/fastapi@0.104.1" } ] }