{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c782fd09-bfa6-5275-a7fb-395ec7b1f0db", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1", "type": "library", "name": "@angular/animations", "version": "15.2.9-tuxcare.1", "purl": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b127d1e8-6f1d-53ea-84dc-3e60c73bce36", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8704e652-6a4f-5567-a736-84234e3b48c0", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:eabac4c9-5563-5d75-9223-87f38791b2d3", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e888bae7-743e-5cfb-b420-72cacc48f04c", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c51010a0-aad4-59e5-a68c-20220219b58b", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9-tuxcare.1 of @angular/animations. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d0794e86-b8a8-585f-ad2b-3876b91610b5", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b6babcb6-b691-5563-ab5e-2cd6b0311b20", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:403fe57b-a101-5233-a500-4a5b769d1750", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:60385f2b-3f67-534f-bf84-ce6b94b20c7b", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9-tuxcare.1 of @angular/animations. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:267d6a66-c9c6-54d5-8760-7d2cbdcf6286", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:013926fa-0484-5379-9733-faab8382b553", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:916a3859-5b5d-546d-887f-565e52ab9190", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:81d94314-1bf8-50b2-9a73-5cfc1e50475d", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1c237517-de50-5d6f-9f92-6ccb0bda8107", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:64e959a1-78bf-58b0-ae1f-cc3e8ec3cf41", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:17e9b980-76ac-59a8-8070-44201ce77f43", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f61889d9-034d-5eb0-97df-8dfe161bba11", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9-tuxcare.1 of @angular/animations. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9d922a5e-639f-5d02-8913-6cc3946d83b2", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9-tuxcare.1 of @angular/animations. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:067b4e12-a115-5a8d-9076-7f0070e81c94", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4a8c83f3-c131-5f13-954e-07ecc75828ee", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9-tuxcare.1 of @angular/animations." }, "affects": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/animations@15.2.9-tuxcare.1" } ] }