{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:5a731a9c-9255-5ba8-8200-ba41a176da35",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1",
      "type": "library",
      "name": "@angular/bazel",
      "version": "15.2.6-tuxcare.1",
      "purl": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:4e427e20-a446-514d-bc26-b2381c91b1f2",
      "id": "CVE-2025-66035",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7b77e219-fd82-52dd-8ca7-a79afeaf2af3",
      "id": "CVE-2025-66412",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-66412 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f4215827-ceed-5139-b957-1565e4846bdf",
      "id": "CVE-2026-22610",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22610 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:93d0d1a6-53ea-58e5-9650-d92da89044c0",
      "id": "CVE-2026-27970",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-27970 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5274e301-6e94-5a8b-978b-182595d56710",
      "id": "CVE-2026-41423",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.6-tuxcare.1 of @angular/bazel. not_affected \u2014 Target version 15.2.6 is NOT affected by CVE-2026-41423. The target uses Node.js legacy url.parse() API which does NOT interpret protocol-relative URLs (//evil.com) as hostname overrides. The vulnerability only exists when using the WHATWG URL API (new URL()) without input preprocessing, which this version does not use. Testing confirms url.parse('//attacker.com') sets hostname to null (not 'at..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3455229f-09c7-5401-a9de-2607dbb1cdcd",
      "id": "CVE-2026-46417",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46417 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:91eff429-3537-5fcb-81e3-639429cb582f",
      "id": "CVE-2026-50168",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50168 does not affect version 15.2.6-tuxcare.1 of @angular/bazel. not_affected \u2014 CVE-2026-50168 targets a vulnerability in Angular's platform-server allowedHosts validation feature that allows bypassing hostname restrictions via malformed URLs (e.g., evil.com:80:80). The target repository (Angular v15.2.6-tuxcare.1) does not contain the allowedHosts feature (validateAllowedHosts, isHostAllowed functions) that this CVE exploits. Without the allowedHosts validation mechanism,..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2d0653f9-6aa9-5c21-bef7-4acb6249c39c",
      "id": "CVE-2026-50169",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50169 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8c7a4196-654a-5c37-9af1-da4eda50adc8",
      "id": "CVE-2026-50170",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.6-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular version 15.2.6-tuxcare.1 does not contain the HttpTransferCache feature that is the subject of CVE-2026-50170. The vulnerable component (packages/common/http/src/transfer_cache.ts) was introduced in Angular v16.0.0-next.7, after the target version. The vulnerability requires automatic HTTP response caching in TransferState during SSR, which does not exist in v15.2.6."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3a1d8636-765b-5481-b38c-fe2194d8c5bd",
      "id": "CVE-2026-50171",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50171 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3dd07983-d431-5346-8227-f9a92570f3b6",
      "id": "CVE-2026-50184",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50184 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6d39990b-47ec-5284-81a2-8fc7e0ccb112",
      "id": "CVE-2026-50555",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50555 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d78a2e26-9c77-554f-9e24-ba8343638372",
      "id": "CVE-2026-50556",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50556 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b30529ee-0f94-5d65-8d6b-175396dd648b",
      "id": "CVE-2026-50557",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50557 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6b5902a8-406a-55ec-8a4b-737198708b4e",
      "id": "CVE-2026-52725",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-52725 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:12e4667a-ea74-50dd-b0a3-6e64f8eeb0da",
      "id": "CVE-2026-54264",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54264 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5615a2e7-5d56-5688-bbf3-8e18b56959fa",
      "id": "CVE-2026-54265",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.6-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular 15.2.6 is not affected by CVE-2026-54265. The vulnerability is specific to the template pipeline architecture introduced in Angular 20+, which does not exist in Angular 15. Angular 15 uses the older render3 compiler that desugars two-way bindings into standard property bindings at parse time, and these property bindings correctly receive sanitizers."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8a3fd88e-dfe2-5ee1-95c8-d9bd71b1ded2",
      "id": "CVE-2026-54266",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.6-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular 15.2.6-tuxcare.1 is not affected by CVE-2026-54266 because the HttpTransferCache feature, including the vulnerable weak DJB2 hash function, was not introduced until Angular v16.0.0. The target version predates the introduction of this feature entirely."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4e81ccbe-f52f-5804-bf21-cfe26a4e3afe",
      "id": "CVE-2026-54267",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54267 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6007a4a4-688b-5736-817f-db9ba80ce4b2",
      "id": "CVE-2026-54268",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54268 affects version 15.2.6-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40angular/bazel@15.2.6-tuxcare.1"
    }
  ]
}