{ "@context": "https://openvex.dev/ns/v0.2.0", "@id": "https://clearcutt.internal/vex/node22-dev/v0.8.1", "author": "ClearCutt Security Platform Gating Engine", "role": "Document Creator", "timestamp": "2026-06-04T08:01:21Z", "version": 1, "statements": [ { "vulnerability": { "name": "CVE-2026-4176" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "affected", "impact_statement": "Image layer is affected; a fixed version is eligible for rebuild." }, { "vulnerability": { "name": "CVE-2026-8376" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "under_investigation", "impact_statement": "No safe fixed version is currently listed for this package. We keep it visible until an upstream fix is available." }, { "vulnerability": { "name": "CVE-2026-7210" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2026-6100" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2026-3298" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "GHSA-c2c7-rcm5-vvqj" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2026-3087" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2026-4786" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2026-7598" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This is below the release-blocking severity threshold, so it is listed for awareness." }, { "vulnerability": { "name": "GHSA-f886-m6hf-6m8v" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2026-6019" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2025-15366" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2025-15367" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2026-8328" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2026-1502" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2024-9410" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This is below the release-blocking severity threshold, so it is listed for awareness." }, { "vulnerability": { "name": "GHSA-v2v4-37r5-5v8g" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "GHSA-3v7f-55p6-f55p" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2025-12781" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." }, { "vulnerability": { "name": "CVE-2024-3220" }, "products": [ { "@id": "pkg:nix/node22-dev@v0.8.1" } ], "status": "not_affected", "justification": "vulnerable_code_not_in_execute_path", "impact_statement": "This comes from the underlying base image, so ClearCutt lists it but cannot update it from the runtime layer." } ] }