{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:868ed9c8-5d62-5eae-b164-b41acaf745ce", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/bazel@15.2.9", "type": "library", "name": "@angular/bazel", "version": "15.2.9", "purl": "pkg:npm/%40angular/bazel@15.2.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:23255273-ce85-53f8-8f68-82d41ee9fc3d", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:dc72b678-1cf4-57ee-be3a-b00677ea46fc", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:b2649a03-d624-5a01-b8ef-8a121837e707", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:3de4cbe1-5fbb-5f47-971d-09f7d0fe8b80", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9 of @angular/bazel. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:31957ff1-1e1c-5b0f-8973-ac9ff921a087", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:09b1ff52-e644-5018-8b0c-37c9950ead35", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:fb2da9ac-2aa1-5224-b014-f6b0b4b065d3", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:77b8d258-57d0-5537-893d-d6c3b2a4e248", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9 of @angular/bazel. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:2912a4dc-895e-5e40-a459-717ee1807744", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:cfcd1d57-2753-5f61-811b-ea61e59f1e13", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:5e8ed616-fa79-5adc-bcdb-1d679e89779a", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:5d9e2613-cffc-5284-b14f-0663686f0851", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:607ae2bc-3cc2-5528-8783-dbed10dd65e0", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:ecdf1cc8-966f-5ffb-ac63-e24914b74f37", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:0085aa62-9d54-5937-ad50-47267564566f", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:7350738c-5f4b-59cc-9986-91320f14a67e", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9 of @angular/bazel. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:d16c2a7d-fcae-5a09-96ae-46315b963d54", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9 of @angular/bazel. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:acf85eed-5d40-5a38-b60b-279939a3fd2a", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }, { "bom-ref": "urn:uuid:c11be6ba-eaa6-529d-ae17-489a5c64bb8d", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/bazel@15.2.9" } ] }