{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:db785474-038a-5564-badd-fe6bbc4fa84d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1", "type": "library", "name": "@angular/bazel", "version": "13.3.0-tuxcare.1", "purl": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:27de523e-d2a9-568c-a545-a30051d400c8", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c5ce31d6-6d28-5879-bec2-6876bba28033", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4e31e4a4-82b1-57b8-9829-ecc4f63915c2", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cb8d2c60-2988-5090-85cc-28e4e302c103", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f9da32b4-cbf8-5f9f-943c-c8123e736032", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 13.3.0-tuxcare.1 of @angular/bazel. not_affected \u2014 The target repository (Angular 13.3.0-tuxcare.1) is NOT AFFECTED by CVE-2026-41423. While the target lacks the explicit sanitization that the upstream patch adds, it uses a fundamentally different URL parsing mechanism (Node's url.parse() without base URL) that does not extract hostnames from protocol-relative URLs. The architectural difference prevents the SSRF attack vector from succeeding." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b494ab79-557d-52d2-b947-5746386c71a6", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cb2a1e50-49b8-57d8-837a-1d9571e86ef2", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:56602f8b-a5dc-5953-8f98-b61925d448ec", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2b9d6821-be26-50cf-bff3-cc8d8bf5520e", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 13.3.0-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular v13.3.0 is not affected by CVE-2026-50170. The vulnerable component (HttpTransferCache) does not exist in this version. The HttpTransferCache feature and automatic HTTP response caching during SSR were introduced in Angular v16+, while this target is v13.3.0-tuxcare.1." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ea1a6395-833c-5cda-8a94-9195442827b5", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ba1ea3b5-7c61-5595-87ce-e00d572e43c7", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ca6cd2b8-8ef9-5f87-8ccf-96471334154d", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:aa891fc1-292e-58c8-9015-114ed0f14ae5", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:087e2222-94d9-5a16-b350-8dd60378c5be", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bdce77dc-2f90-56f1-a04d-24cb0c4a33bd", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9e790f80-8e17-5b1d-8cad-719361d89f35", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 13.3.0-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular 13.3.0 is not affected by CVE-2026-54264. The vulnerable method newRequestWithMetadata() does not exist in this version. The AssetGroup class creates new requests with only URLs when fetching assets, never preserving headers. On cross-origin redirects, the code creates a completely new request with no headers, preventing sensitive credential leakage." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:37d32031-6994-51e5-b0ba-53cce1ca490a", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 13.3.0-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular 13.3.0 is not affected by CVE-2026-54265. The vulnerability is specific to Angular's template/pipeline architecture (introduced in v14+) where TwoWayProperty operations bypass sanitizer resolution. Angular 13.3.0 uses an earlier Ivy architecture without the template/pipeline system, where two-way bindings desugar through the same parsePropertyBinding() function as one-way bindings, rece..." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4d2646b0-83bd-5239-803e-0bd21d00f91a", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 13.3.0-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular 13.3.0 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache key generation does not exist in this version. HttpTransferCache was introduced in Angular v16+, and version 13.3.0 predates this feature." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e27bb91f-951a-5bb8-a33c-1fe187078491", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:58dbb9dc-6aaa-5789-b123-6c9f18d21873", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 13.3.0-tuxcare.1 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/bazel@13.3.0-tuxcare.1" } ] }