{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:55d68aae-c759-5511-856d-14ce3929f74d",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4",
      "type": "library",
      "name": "@angular/bazel",
      "version": "9.1.13-tuxcare.4",
      "purl": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:7761435d-ec32-542c-88d5-07ec125f3271",
      "id": "CVE-2021-4231",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2021-4231 is fixed in version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2a9f8dcb-fe8a-5af8-8360-8aee49d697c8",
      "id": "CVE-2025-66035",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-66035 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:87ff3883-5c1e-500b-be56-1e0cc66f167c",
      "id": "CVE-2025-66412",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-66412 is fixed in version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b324a457-25f8-5077-9eea-e66e5a46bddf",
      "id": "CVE-2026-22610",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22610 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b8726ba0-3e69-58d8-86c4-d754f30d6c93",
      "id": "CVE-2026-27970",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-27970 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3495b3b3-9ace-571d-a291-1ef3ae9c0cc8",
      "id": "CVE-2026-41423",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-41423 is fixed in version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a577f341-9c31-5acc-bad3-095c4aedae1d",
      "id": "CVE-2026-46417",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46417 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:14ddb286-1e46-55ab-bf19-d1c0156bda4f",
      "id": "CVE-2026-50168",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50168 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:074c584a-df68-5319-a51c-75d5067a1066",
      "id": "CVE-2026-50169",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50169 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:46d059e9-8a42-5e23-8386-ccb4cbbd102d",
      "id": "CVE-2026-50170",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50170 does not affect version 9.1.13-tuxcare.4 of @angular/bazel. not_affected \u2014 Angular v9.1.13 is not affected by CVE-2026-50170. The vulnerability exists in Angular's HttpTransferCache feature, which was introduced in Angular v16+. This feature does not exist in v9.1.13, making the vulnerability pattern impossible to manifest."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a4408b5f-62e0-5ce9-bd5b-9d9fbc90d4e8",
      "id": "CVE-2026-50171",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50171 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3f537c69-d538-5dba-84b8-950ba29ade2d",
      "id": "CVE-2026-50184",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50184 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:781d02f4-928f-5deb-8b29-cccc09b33f4e",
      "id": "CVE-2026-50555",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50555 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8b29408e-1265-5236-91b7-d4a739ad0ec1",
      "id": "CVE-2026-50556",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50556 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:194de3b5-1173-553d-a44b-2e3ab836b90c",
      "id": "CVE-2026-50557",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50557 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:510e823d-0567-5b63-97af-13ac59ab4722",
      "id": "CVE-2026-52725",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-52725 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8f8da0d3-9961-5c62-9c6e-aba4537b4822",
      "id": "CVE-2026-54264",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54264 does not affect version 9.1.13-tuxcare.4 of @angular/bazel. not_affected \u2014 Angular 9.1.13 is not affected by CVE-2026-54264. The target repository uses a fundamentally different request reconstruction architecture than the vulnerable upstream versions (22.0+). The vulnerability requires the presence of header-copying logic during request reconstruction, which does not exist in this version."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:ed138969-7fae-5102-80b1-1b9f82bd1061",
      "id": "CVE-2026-54265",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54265 does not affect version 9.1.13-tuxcare.4 of @angular/bazel. not_affected \u2014 Angular 9.1.13-tuxcare.9 is NOT AFFECTED by CVE-2026-54265. The vulnerability exists in newer Ivy compiler's template/pipeline architecture where TwoWayProperty operations bypass sanitizer resolution. This version uses View Engine and early render3 (Ivy) implementations where two-way bindings desugar through the same parsePropertyBinding() path as one-way bindings, ensuring identical sanitizer ..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4476df40-7e7e-542f-869c-d528d534abb8",
      "id": "CVE-2026-54266",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54266 does not affect version 9.1.13-tuxcare.4 of @angular/bazel. not_affected \u2014 Angular 9.1.13-tuxcare.9 does not contain the HttpTransferCache feature. The vulnerability CVE-2026-54266 affects the hash generation in HttpTransferCache, a feature introduced in Angular v16+. The target version (9.1.13) predates this feature by many major versions. While TransferState (generic state serialization) exists in v9, there is no HTTP caching integration that uses it. The packages/c..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a0339697-16dc-5ae7-afde-4a653d8425e5",
      "id": "CVE-2026-54267",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54267 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e0b45536-cddc-58ba-b272-32814c65ca90",
      "id": "CVE-2026-54268",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54268 affects version 9.1.13-tuxcare.4 of @angular/bazel."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40angular/bazel@9.1.13-tuxcare.4"
    }
  ]
}