{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:fda4d62a-3f15-57a0-90a4-2bfdeaa9c22c", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1", "type": "library", "name": "@angular/bazel", "version": "12.0.0-tuxcare.1", "purl": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:2a016b32-46b8-5bc4-854d-60fb7b9be59e", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7d382733-e821-59a4-be14-ef5e54e8efe0", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:eb66176e-b430-50ae-8243-8086c8157673", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5d439495-2138-54ae-96af-24e6cd01586b", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:94a9550d-1c04-5b8d-84ad-6b889e04ca3f", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 12.0.0-tuxcare.1 of @angular/bazel. not_affected \u2014 The target repository (Angular v12.0.0-tuxcare.2) is not affected by CVE-2026-41423. This version uses Node.js url.parse() for URL parsing, which does not exhibit the hostname override vulnerability. The CVE affects Angular versions 21.0.4+ where the codebase was refactored to use the URL constructor with a base parameter, allowing protocol-relative URLs (//evil.com) to override the hostname. T..." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b75c41c5-1a8c-53a8-97fc-7a070b8db5b8", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:08b54727-386c-5738-b915-52090759afb8", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fc0963fc-697f-5aed-b86f-1e4d2d41743b", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0ada6699-d947-586d-b496-903c35cd462e", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 12.0.0-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular v12.0.0-tuxcare.2 is not affected by CVE-2026-50170. The HTTP transfer cache feature that contains the vulnerability does not exist in this version. The transfer cache was introduced in Angular v16+, while this is version 12." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9d8f95b1-0e6f-5bf8-8d02-70de30210c4c", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4e0dfee6-c8e1-5d1c-bcd7-f1bcd479773b", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:408c9e3e-9c54-5b9a-894e-6464ba514197", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6f94537e-f2d4-58f1-a481-dcb61243edc0", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:64c31d75-a987-5a6a-8405-2ed9bfa8da3f", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3a8e4d98-6080-5c06-a746-03fdd24412e9", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:48bcbacc-645f-576e-9b2a-56938bd86dd1", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 12.0.0-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular version 12.0.0 is not affected by CVE-2026-54264. The service worker's AssetGroup class does not preserve request headers when making network requests, including on cross-origin redirects. Version 12.0.0 predates the architectural change that introduced metadata preservation (including headers), which was later found to be vulnerable in versions 20.x-22.x." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:205d58c4-4ef7-51c2-a259-8a708de99497", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 12.0.0-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular 12.0.0-tuxcare.2 is not affected by CVE-2026-54265. The vulnerability is specific to the Ivy template pipeline architecture with TwoWayProperty IR operations (introduced in Angular 20+). Angular 12 uses a different architecture where two-way bindings are desugared at parse time into separate property and event bindings, and the property binding is sanitized through the same code path as..." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ee82926b-44b4-55f9-a5ed-a21c33c3f2a8", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 12.0.0-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular v12.0.0-tuxcare.2 is not affected by CVE-2026-54266. The HttpTransferCache feature containing the weak DJB2 hash vulnerability does not exist in this version - it was introduced in Angular v16+." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:01b6f3b0-7ceb-570b-9c81-322a5d1aba45", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:61b1f360-7d53-5dfa-b59e-79db24291230", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 12.0.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/bazel@12.0.0-tuxcare.1" } ] }