{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:a9191701-2805-5f93-8b3b-b45b396d08f3",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1",
      "type": "library",
      "name": "@angular/bazel",
      "version": "15.2.9-tuxcare.1",
      "purl": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:a10a7531-63ab-5e69-9a6d-447cafcd7bf6",
      "id": "CVE-2025-66035",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3c7696b8-e67a-5c60-b211-4cb68144f9b5",
      "id": "CVE-2025-66412",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:64425b0c-5031-5e86-a4d8-56f9327720cd",
      "id": "CVE-2026-22610",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a81a8150-7f63-554a-9102-477e7320e021",
      "id": "CVE-2026-27970",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:49c2493c-25f2-5558-9dfd-dbcb23c6b580",
      "id": "CVE-2026-41423",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1384c88b-18f3-50b6-9d74-c60e3f565d52",
      "id": "CVE-2026-46417",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f0bf5269-2a0a-5724-8bfe-45f9b629f477",
      "id": "CVE-2026-50168",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ff010493-55a1-5932-96d3-0ab0410617dc",
      "id": "CVE-2026-50169",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:65b1f7bf-9692-555c-9f4b-dbc62c9605bc",
      "id": "CVE-2026-50170",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9-tuxcare.1 of @angular/bazel. not_affected \u2014 no evidence captured"
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:05e398e1-bfc9-542f-950a-0d111e6c71b8",
      "id": "CVE-2026-50171",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1766f97a-e7a7-598e-87ee-e24ab62b62cb",
      "id": "CVE-2026-50184",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e842e68f-8a86-5d0e-8616-f380bf213932",
      "id": "CVE-2026-50555",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ce414476-f900-5f21-b154-f578679349bf",
      "id": "CVE-2026-50556",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8d656bfb-418d-5e3f-b312-653fd6eab509",
      "id": "CVE-2026-50557",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:15585781-07d0-5c91-bb66-3e2bd7791d1e",
      "id": "CVE-2026-52725",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:252f1abd-e4cb-5ebc-93c0-3bcd32c24a0c",
      "id": "CVE-2026-54264",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7a6f6b7b-0f57-5e73-af99-42e6c96e6c66",
      "id": "CVE-2026-54265",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:32b27d0b-dc7b-5f5a-9cd8-03ffc205ad39",
      "id": "CVE-2026-54266",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9-tuxcare.1 of @angular/bazel. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e52d3843-66db-5cc3-a27d-e1f3ec309dfa",
      "id": "CVE-2026-54267",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0db1ac9c-23b5-532f-b05d-78bf08864aae",
      "id": "CVE-2026-54268",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9-tuxcare.1 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40angular/bazel@15.2.9-tuxcare.1"
    }
  ]
}