{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:bfd59b80-7947-5aad-b038-21cbccc20180",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3",
      "type": "library",
      "name": "@angular/bazel",
      "version": "9.1.13-tuxcare.3",
      "purl": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:71952189-458e-5b0f-b2b3-6e532d69701f",
      "id": "CVE-2021-4231",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2021-4231 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:bac4a34e-eb18-511b-b26b-46c8b8f32f0f",
      "id": "CVE-2025-66035",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-66035 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a25495d8-8ab9-588f-8bc9-2422b354eb73",
      "id": "CVE-2025-66412",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-66412 is fixed in version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4ecb6207-51e4-587e-9433-9b4f88ee7439",
      "id": "CVE-2026-22610",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22610 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8ecbe0ca-5993-549a-8ae0-f40a9ccd7447",
      "id": "CVE-2026-27970",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-27970 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:917987e0-0395-531f-a585-237e4d4be877",
      "id": "CVE-2026-41423",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-41423 is fixed in version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:65d045d3-ba01-55f2-806b-dd883fe599ec",
      "id": "CVE-2026-46417",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46417 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ed15ed8c-d7ff-56f6-bbb3-e93fd3da1ead",
      "id": "CVE-2026-50168",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50168 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9d28ae8b-cfff-550a-8022-b1b8c88816a6",
      "id": "CVE-2026-50169",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50169 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0abf8da6-a829-5e0d-9280-168c20086531",
      "id": "CVE-2026-50170",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50170 does not affect version 9.1.13-tuxcare.3 of @angular/bazel. not_affected \u2014 Angular v9.1.13 is not affected by CVE-2026-50170. The vulnerability exists in Angular's HttpTransferCache feature, which was introduced in Angular v16+. This feature does not exist in v9.1.13, making the vulnerability pattern impossible to manifest."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ecb2fb0c-445a-5ffb-a891-0985a5fbe752",
      "id": "CVE-2026-50171",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50171 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5866c52c-4c63-5bc7-bb09-6ec1be73444a",
      "id": "CVE-2026-50184",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50184 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e0d68cec-c217-59d0-8435-6d09bfe1a86f",
      "id": "CVE-2026-50555",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50555 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c518ec83-1d95-57c7-bf36-840300cee879",
      "id": "CVE-2026-50556",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50556 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2c9614c1-ce73-5cf7-9a34-f3fa5e3c3b8a",
      "id": "CVE-2026-50557",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50557 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:bd701e6c-0a4a-5689-9f5b-07a11fb5e870",
      "id": "CVE-2026-52725",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-52725 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e5367877-3790-5241-8f34-9078d2fdce73",
      "id": "CVE-2026-54264",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54264 does not affect version 9.1.13-tuxcare.3 of @angular/bazel. not_affected \u2014 Angular 9.1.13 is not affected by CVE-2026-54264. The target repository uses a fundamentally different request reconstruction architecture than the vulnerable upstream versions (22.0+). The vulnerability requires the presence of header-copying logic during request reconstruction, which does not exist in this version."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c564ad1e-469f-58c4-9ada-09fd7d979490",
      "id": "CVE-2026-54265",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54265 does not affect version 9.1.13-tuxcare.3 of @angular/bazel. not_affected \u2014 Angular 9.1.13-tuxcare.9 is NOT AFFECTED by CVE-2026-54265. The vulnerability exists in newer Ivy compiler's template/pipeline architecture where TwoWayProperty operations bypass sanitizer resolution. This version uses View Engine and early render3 (Ivy) implementations where two-way bindings desugar through the same parsePropertyBinding() path as one-way bindings, ensuring identical sanitizer ..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7700bac3-4ef3-5b18-b3ec-c0a0cd90f85e",
      "id": "CVE-2026-54266",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54266 does not affect version 9.1.13-tuxcare.3 of @angular/bazel. not_affected \u2014 Angular 9.1.13-tuxcare.9 does not contain the HttpTransferCache feature. The vulnerability CVE-2026-54266 affects the hash generation in HttpTransferCache, a feature introduced in Angular v16+. The target version (9.1.13) predates this feature by many major versions. While TransferState (generic state serialization) exists in v9, there is no HTTP caching integration that uses it. The packages/c..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9e8b9bb4-96ee-58ec-a5d0-bd6b2d8ce3b1",
      "id": "CVE-2026-54267",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54267 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4e439c2e-7b3f-56d3-abb1-f5782fc784e1",
      "id": "CVE-2026-54268",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54268 affects version 9.1.13-tuxcare.3 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.3"
    }
  ]
}