{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:23615e5a-ca1f-534f-9ad1-c53d88bd1d4d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1", "type": "library", "name": "@angular/animations", "version": "15.2.1-tuxcare.1", "purl": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a24f9e3f-a411-50ae-9165-98356d3a7054", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:671439f4-c0da-5c77-a6f8-7d9b13713364", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e645baca-bef0-52a0-88a0-1a5d83ccbd33", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:dabfcfc3-a4cd-5a53-8ce8-1e4ecb4ebb6c", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fb995177-8d8e-55df-8ff8-5a1259e43291", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.1-tuxcare.1 of @angular/animations. not_affected \u2014 The target Angular version 15.2.1 uses Node.js url.parse() API which does not exhibit the protocol-relative URL hostname override vulnerability. The vulnerable behavior was introduced in Angular 17+ when the code was refactored to use WHATWG new URL() API. Version 15.2.1 is not affected by CVE-2026-41423." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:736884b0-2782-5310-9fe1-9e06f87967b8", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:549f1344-c95b-5419-8d84-2aca0048f681", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0616b435-32d0-5df7-857f-12ef4b49e5c3", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f5ab779d-e2f3-53fd-b366-ed1b0e032d9a", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.1-tuxcare.1 of @angular/animations. not_affected \u2014 Angular 15.2.1 is not affected by CVE-2026-50170. The HTTP transfer cache feature that contains the vulnerability was introduced in Angular v16+ and does not exist in version 15.2.1. The target repository lacks the entire affected component (packages/common/http/src/transfer_cache.ts) and all related transfer cache functionality." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0bb4ce00-a47a-5db9-946f-9c0b16cb062f", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:618fb645-4fde-5ad0-84e0-5d856084132c", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:27560a10-16b7-59fd-b869-a7e761cef905", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ecce900b-472b-5127-b582-989bc644c7b1", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7844849d-14ae-5753-8c83-0295735ee4e5", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c2be2e34-fa22-52c3-806b-0ef88c65131a", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e7d40201-7d09-5a35-bca1-0e69c4d2f114", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b2bedad6-1162-52b0-a5e3-91aeb7bd314a", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.1-tuxcare.1 of @angular/animations. not_affected \u2014 Angular 15.2.1-tuxcare.1 is NOT AFFECTED by CVE-2026-54265. The vulnerability exists only in Angular 16+ where the template pipeline architecture introduced a TwoWayProperty operation kind that was missing from the sanitizer resolution switch. Angular 15.2.1 uses the pre-pipeline Ivy compiler where two-way bindings desugar through the same parsePropertyBinding() as one-way bindings, inheriting ..." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e8f40af5-49a6-5552-9651-3f49e0014215", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.1-tuxcare.1 of @angular/animations. not_affected \u2014 Angular 15.2.1 does not contain the HttpTransferCache feature, which was introduced in Angular 16.0.0. The vulnerable code path involving hash-based HTTP request caching does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:818f30e4-89af-54e6-90a2-d96952c2af8b", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:12679db0-7df0-56f5-9cd9-7c3bbe0668f1", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.1-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/animations@15.2.1-tuxcare.1" } ] }