{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:6263b5d3-1d04-5eb3-b4db-94df1cb815b0", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2", "type": "library", "name": "@angular/bazel", "version": "5.2.7-tuxcare.2", "purl": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:550584cb-7492-5ec6-946e-8ab798b3c3d3", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7d29fced-300f-5239-9125-305f381fc4dc", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b54be683-37e5-5c35-8b7a-b1968daab8a5", "id": "CVE-2025-66412", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66412 is fixed in version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7f65ae69-9cf3-548b-83db-41d714b9cd74", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9f23ff28-ab4c-5597-83ca-131d50fcc1fb", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3ce1a12f-dd6d-5f57-9375-ae588bfd0ff8", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 5.2.7-tuxcare.2 of @angular/bazel. not_affected \u2014 Angular version 5.2.7 is not affected by CVE-2026-41423. The vulnerability exists in later Angular versions (9+) that use the WHATWG URL API with hostname tracking. Version 5.2.7 uses Node's legacy url.parse() API and only tracks pathname/search/hash components, making the SSRF attack vector via hostname override impossible." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:de5526dd-75c7-583a-92d8-4de24b10bef8", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1840343d-4067-54da-8428-d37b0f06a043", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fa611133-88a9-5fb5-9084-36a43c8cf41d", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:acfcc7dd-aa99-54e8-9388-99cf068a1d7d", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 5.2.7-tuxcare.2 of @angular/bazel. not_affected \u2014 Angular 5.2.7 is not affected by CVE-2026-50170. The HTTP transfer cache feature that contains the vulnerability does not exist in this version. The transfer cache mechanism was introduced in Angular v16+, and Angular 5.2.7 predates this feature by many major versions." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2df0e426-81a2-5f91-93dd-19440215d9d0", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b73543ac-b7e3-5941-8b10-908624cba394", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2668f506-fd70-5b18-bf3d-b1c4f9dd8249", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:978a6260-5c2c-5358-bd30-ded25209557d", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:41e986a2-6adb-5aa9-8f80-192aa5a7b2c3", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c177d721-dd0a-5246-ad8c-0d029b02718a", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2a2552d5-12f8-5e96-9ba8-2d818ed6f302", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 5.2.7-tuxcare.2 of @angular/bazel. not_affected \u2014 Angular v5.2.7 is NOT affected by CVE-2026-54264. The service worker's asset-group request reconstruction uses URL-only rebuilding via adapter.newRequest(req.url), which creates fresh Request objects with no headers from the original request. Since headers are never forwarded in the first place, there is no opportunity for sensitive headers to leak on cross-origin redirects. The vulnerable code..." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:65ec11a8-d312-5fcc-aea3-405f3cc6e13c", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 5.2.7-tuxcare.2 of @angular/bazel. not_affected \u2014 Angular 5.2.7-tuxcare.2 uses the View Engine compiler architecture, which does not have the vulnerable TwoWayProperty operation present in Ivy. Two-way bindings desugar through the same parsePropertyBinding() code path as one-way bindings and receive identical schema-derived sanitization. The vulnerability requires the Ivy template compiler pipeline with resolve_sanitizers.ts missing the TwoWay..." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:564686e3-b6d4-5f0a-8093-f6fed24868d0", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 5.2.7-tuxcare.2 of @angular/bazel. not_affected \u2014 Angular 5.2.7 is NOT affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version (introduced in Angular v16+). No code path processes HTTP requests for automatic transfer cache key generation." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1846b022-9741-56c2-ae95-d6c3f76f85b3", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e67b0e97-ef57-5592-bbed-e5e954eef93c", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 5.2.7-tuxcare.2 of @angular/bazel." }, "affects": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/bazel@5.2.7-tuxcare.2" } ] }