{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:af83b2b5-2ff1-5b7a-a2c8-b126c907a434", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/bazel@13.3.12", "type": "library", "name": "@angular/bazel", "version": "13.3.12", "purl": "pkg:npm/%40angular/bazel@13.3.12" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b01ab7a8-c204-52d3-8cb3-7aa3a26d7e17", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:e8d87260-efbe-58a5-b827-cedcb24831b7", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:41348a2f-21da-50c1-8e98-634d2c07f3b9", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:4ec90350-de58-56cb-88c2-ee01cbd30224", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:cedaa5eb-0a6f-5077-9b37-0634404e8155", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:27c4ac12-e378-5aea-a161-1851615d5755", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:3319fdd3-351c-5a69-94ac-f4180121c1b5", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:0d821cca-f0b1-532b-adbd-a428043acd00", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 13.3.12 of @angular/bazel. not_affected \u2014 Angular v13.3.12 is NOT AFFECTED by CVE-2026-50170. The HttpTransferCache feature that contains the vulnerability was introduced in Angular v16.0.0 (March 2023) and does not exist in this earlier version." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:1b1e81e5-d834-5080-ada8-31ed6300766a", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:2b92e6ed-c263-51a5-8d4c-c6d07eba7b45", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:1a5c3617-5870-547a-8aea-ad84988577e8", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:9ba180f2-b180-5fd8-9a29-d28098f25eb6", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:4df866b6-051e-5a7c-8a52-bf01b2fc57d9", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:f81dafff-cf05-5148-8f4d-0b8d44241fbd", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:d6757d3d-5537-5a5d-8255-3936cf5a9652", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 13.3.12 of @angular/bazel. not_affected \u2014 Version 13.3.12 does not have the vulnerable code pattern. The vulnerability exists in versions 20.x+ where the Service Worker's newRequestWithMetadata function preserves request headers but fails to strip sensitive headers on cross-origin redirects. Version 13.3.12 lacks this function entirely and creates fresh requests with URL-only when handling redirects, preventing header leakage." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:5f9bd207-d9ab-5d01-9394-94f51f352416", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 13.3.12 of @angular/bazel. not_affected \u2014 Angular v13.3.12-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability is specific to the Ivy template pipeline architecture (TwoWayProperty operation) introduced in Angular v17+. This version uses an older Ivy architecture where two-way bindings desugar through the same sanitized property binding path as one-way bindings, preventing the sanitization bypass." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:2287428f-6ac7-5eff-be99-310967426091", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 13.3.12 of @angular/bazel. not_affected \u2014 Angular v13.3.12 is NOT AFFECTED by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache key generation was introduced in Angular v16.0.0-next.7 (March 2023), which is 3+ major versions newer than this target version. Exhaustive code analysis confirms the transfer_cache.ts module, HttpTransferCache class, generateHash function, and all related cache key gener..." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:962827ec-89fe-5a9d-897f-4293c7a8fd71", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }, { "bom-ref": "urn:uuid:3f60fc1c-0959-506b-bcc5-90c9ac35ec0d", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 13.3.12 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/bazel@13.3.12" } ] }