{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:de4bdb0f-510f-54a0-b7f6-f80cb3acb226", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/axios@0.18.1", "type": "library", "name": "axios", "version": "0.18.1", "purl": "pkg:npm/axios@0.18.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:73d0760f-e8bf-5f1c-8404-9a0cedd88b7d", "id": "CVE-2022-0536", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-0536 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:0b6d264d-f11b-590d-95d6-3e83cf971802", "id": "CVE-2024-39338", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-39338 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:31be32b6-b910-54b3-9bb2-bea2381c7124", "id": "CVE-2025-62718", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-62718 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:e3b81024-4189-5b31-aaa3-d94d6fe53c6b", "id": "CVE-2026-39865", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39865 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:eace8431-5331-5e4f-910c-07b302d50a26", "id": "CVE-2026-40175", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40175 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:a63f1717-deeb-59f0-8717-9716a4cb0670", "id": "CVE-2026-42033", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42033 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:1623a853-0e9b-53d7-935d-2aabb812ce20", "id": "CVE-2026-42034", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42034 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:311ec289-58db-55a3-881f-548141617051", "id": "CVE-2026-42035", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42035 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:8f8f9241-204b-5161-b5ae-b707e884f1fa", "id": "CVE-2026-42036", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42036 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:3fe019a5-c638-5e50-82fe-f35c74fabee7", "id": "CVE-2026-42038", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42038 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:37670aec-143e-5ca3-b3f5-bb83637f18e2", "id": "CVE-2026-42039", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42039 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:8535232c-beba-594e-94a8-4cd802dc17f7", "id": "CVE-2026-42040", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42040 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:59df5e66-babf-5525-b289-e7e81ea1d80a", "id": "CVE-2026-42041", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42041 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:4db3310b-2049-5811-9a32-f22a77d4f9dd", "id": "CVE-2026-42042", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42042 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:86ca3819-91ba-5373-ba78-a2c86f5c9f5c", "id": "CVE-2026-42043", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42043 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:e1f826d1-346d-502d-824e-cce727834d29", "id": "CVE-2026-44486", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-44486 does not affect version 0.18.1 of axios. already_fixed \u2014 The target repository already contains the fix for CVE-2026-44486 (Proxy-Authorization header leak on redirect). The fix was backported in commit 806a27b (also 3a086d9 in a backport branch), which implements the exact same defense as vendor commit afca61a070728e717203c2bc21e7b589b59b858b." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:b561e03e-ce1b-5ec2-a9a9-c439178cff4e", "id": "CVE-2026-44487", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-44487 does not affect version 0.18.1 of axios. already_fixed \u2014 The target repository already contains the fix for CVE-2026-44487 (GHSA-j5f8-grm9-p9fc). The exact vendor commit afca61a070728e717203c2bc21e7b589b59b858b was backported in commit 806a27b as part of CVE-2024-28849 remediation on April 28, 2026. The defense mechanism strips stale Proxy-Authorization headers on redirect re-invocations, preventing credential leakage to unintended recipients." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:121e2114-7382-5c2f-879a-e8f7b595f350", "id": "CVE-2026-44490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44490 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:56dc6f45-37dc-55e9-a0bb-efb9fe6c2b7c", "id": "CVE-2026-44492", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-44492 does not affect version 0.18.1 of axios. not_affected \u2014 The target repository axios v0.18.1-tuxcare.2 does not implement NO_PROXY functionality at all. The vulnerability CVE-2026-44492 is specific to shouldBypassProxy.js (introduced in v1.15.0) which handles NO_PROXY hostname comparison. Since v0.18.1 predates this feature and has no hostname comparison or bypass logic, the vulnerability pattern cannot manifest." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:70d64aa6-c5f0-5556-a11d-bad965b223c3", "id": "CVE-2026-44496", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44496 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] }, { "bom-ref": "urn:uuid:45ba221c-28f8-5443-bcd7-0d8639f29526", "id": "GHSA-r4q5-vmmm-2653", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-r4q5-vmmm-2653 affects version 0.18.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/axios@0.18.1" } ] }