{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:69cce71b-ed0a-5c92-af1e-25fa0fba7f74", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/axios@0.18.1-tuxcare.1", "type": "library", "name": "axios", "version": "0.18.1-tuxcare.1", "purl": "pkg:npm/axios@0.18.1-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1cfa06ca-f645-57a3-aa4e-a19bc30d235b", "id": "CVE-2020-28168", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2020-28168 is fixed in version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:68321e71-7d59-563c-b22e-24845d196f95", "id": "CVE-2021-3749", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2021-3749 is fixed in version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:13f72810-3166-5241-b507-dd11cbe6e75c", "id": "CVE-2022-0155", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-0155 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:576e86ae-6351-5b88-8045-139770638481", "id": "CVE-2022-0536", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2022-0536 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6ca01c25-91e7-560f-b4b1-660f9fa83134", "id": "CVE-2023-26159", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-26159 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b737ebd9-4690-5f4c-912b-aaa39690fbb4", "id": "CVE-2023-45857", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-45857 is fixed in version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c1398693-8061-52d8-8599-5ad1275be916", "id": "CVE-2024-28849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-28849 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:67385895-efab-5b59-bb83-9cc337c04df7", "id": "CVE-2024-39338", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-39338 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9ccf0036-8d9e-5693-a529-9bda4019f288", "id": "CVE-2025-27152", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-27152 is fixed in version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:54d5ddb7-a8b6-57b1-957f-e629d489338a", "id": "CVE-2025-58754", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-58754 is fixed in version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2f65c99d-8b06-50c6-8de1-00bcf602c3ad", "id": "CVE-2025-62718", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-62718 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e10544c4-8441-5bd0-98e2-4c777d9f9ffd", "id": "CVE-2026-25639", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-25639 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:571f6f19-b957-5478-a641-06e34ce6cb9e", "id": "CVE-2026-39865", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-39865 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7356e815-3035-544c-9e2a-49e42f9e8c44", "id": "CVE-2026-40175", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-40175 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:23a93503-7822-5bd0-a8df-8f33f571e510", "id": "CVE-2026-42033", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42033 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:53723fbd-f960-5268-a24b-19dc06af1e1a", "id": "CVE-2026-42034", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42034 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:24cba6e8-047b-500b-8c25-6b7456d29b22", "id": "CVE-2026-42035", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42035 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:da0cd879-2954-5612-9f01-53f8abfd61d3", "id": "CVE-2026-42036", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42036 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:93a47275-7420-505f-9fe3-b441dfbcd35b", "id": "CVE-2026-42038", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42038 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:32a2e39f-a046-585c-86ec-ca412af5739c", "id": "CVE-2026-42039", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42039 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:84c8b103-49d0-5f1d-a8eb-2378ca91c319", "id": "CVE-2026-42040", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42040 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0d7c263c-a4d3-58cf-a942-592acf5b2e56", "id": "CVE-2026-42041", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42041 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b8a93818-3b51-5c25-8f6d-6e7325d86513", "id": "CVE-2026-42042", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42042 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7b859828-fb0d-5e6c-8b5d-bb0d48b40888", "id": "CVE-2026-42043", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-42043 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:576c7147-da82-59fe-9146-5a2207d4a502", "id": "CVE-2026-44486", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-44486 does not affect version 0.18.1-tuxcare.1 of axios. already_fixed \u2014 The target repository already contains the fix for CVE-2026-44486 (Proxy-Authorization header leak on redirect). The fix was backported in commit 806a27b (also 3a086d9 in a backport branch), which implements the exact same defense as vendor commit afca61a070728e717203c2bc21e7b589b59b858b." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:87ab5ab2-8f72-5685-8ded-0410021f096a", "id": "CVE-2026-44487", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-44487 does not affect version 0.18.1-tuxcare.1 of axios. already_fixed \u2014 The target repository already contains the fix for CVE-2026-44487 (GHSA-j5f8-grm9-p9fc). The exact vendor commit afca61a070728e717203c2bc21e7b589b59b858b was backported in commit 806a27b as part of CVE-2024-28849 remediation on April 28, 2026. The defense mechanism strips stale Proxy-Authorization headers on redirect re-invocations, preventing credential leakage to unintended recipients." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:06c9d18f-5ae8-5fed-a1ab-b549d22348ba", "id": "CVE-2026-44490", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44490 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b0c20026-cad7-5867-8eca-2f9646f172c1", "id": "CVE-2026-44492", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-44492 does not affect version 0.18.1-tuxcare.1 of axios. not_affected \u2014 The target repository axios v0.18.1-tuxcare.2 does not implement NO_PROXY functionality at all. The vulnerability CVE-2026-44492 is specific to shouldBypassProxy.js (introduced in v1.15.0) which handles NO_PROXY hostname comparison. Since v0.18.1 predates this feature and has no hostname comparison or bypass logic, the vulnerability pattern cannot manifest." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:10f68546-5ad5-5769-b66a-7ce2979eafb0", "id": "CVE-2026-44496", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-44496 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b1576483-3ae2-5bce-977c-28895e96c269", "id": "GHSA-r4q5-vmmm-2653", "analysis": { "state": "exploitable", "detail": "Vulnerability GHSA-r4q5-vmmm-2653 affects version 0.18.1-tuxcare.1 of axios." }, "affects": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/axios@0.18.1-tuxcare.1" } ] }