{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5446cb13-7750-511e-b0fa-ff8783f8cf51", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/bazel@15.0.3", "type": "library", "name": "@angular/bazel", "version": "15.0.3", "purl": "pkg:npm/%40angular/bazel@15.0.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:239a1461-0f99-5b78-afd5-d56c6cea3a43", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:a0a5dad5-e14d-50b1-a2cd-6b3253529eab", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:f7bfc44e-5160-57c8-b242-944107f19ded", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:9593f022-4d20-5ae7-b258-8fe821a1809e", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:7ad551f8-621e-5328-a984-4cd7323ca7f7", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:d222676c-e289-5928-8101-353ba3253b16", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:4a12a947-33ae-55b7-a340-f877d16a880c", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:16f56ffa-fd79-59cb-b926-9d1f8c762259", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.0.3 of @angular/bazel. not_affected \u2014 Angular 15.0.3-tuxcare.1 is NOT affected by CVE-2026-50170. The HTTP TransferCache feature that is vulnerable in later Angular versions (v16+) does not exist in this version. The vulnerable code (transfer_cache.ts, hasAuthHeaders(), shouldCacheRequest(), withHttpTransferCache, provideClientHydration) is absent from Angular 15.0.3." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:45e7dad5-aaf9-567c-a28d-0f53838c85e6", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:78c9d3ae-cde7-55fb-aad0-3b6ca1625614", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:5a3c23d3-3b8f-51af-b0d2-89bf602654e3", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:91dc8f65-185b-55a9-80b0-e964f4b648a8", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:e54ddcbc-dd14-5666-885b-4e1f83bb148b", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:dc63b9c0-9e0c-5ca2-85d3-f353320454e0", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:4174fd88-15d0-5422-ac37-906aedd24ab1", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:a0e77076-8bdd-5591-8a8d-14cd972c449f", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.0.3 of @angular/bazel. not_affected \u2014 Angular 15.0.3 is NOT AFFECTED by CVE-2026-54265. This version uses a different compiler architecture where two-way bindings desugar through the same code path as one-way bindings, both receiving identical security context resolution and sanitizer assignment. The vulnerable code (Ivy template pipeline with separate TwoWayProperty operation type) does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:70c90681-a7e1-56d6-a6f3-12b18c2d40ed", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.0.3 of @angular/bazel. not_affected \u2014 Angular v15.0.3-tuxcare.1 is NOT affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache keys does not exist in this version. This feature was introduced in Angular v16+. The target has no code path from HTTP request handling to the vulnerability's cache poisoning goal." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:b76b8a77-1065-5a0e-8acc-cca1421d34cf", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }, { "bom-ref": "urn:uuid:a7b24d89-3eba-5283-8d43-3c3c2011d7a5", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.0.3 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/bazel@15.0.3" } ] }