{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:2f47ddca-10df-57d6-bf4a-3b767dfe5858", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1", "type": "library", "name": "@angular/benchpress", "version": "10.1.0-tuxcare.1", "purl": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:cad7ad30-00ab-5a4d-aeb5-2189260d35d7", "id": "CVE-2020-7608", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2020-7608 is fixed in version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:66d63890-bdf0-5cd9-b72d-8110adcdfbb6", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0372c1d7-807b-531e-b616-13ece3ed0385", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1ceb4a37-6889-5a43-9e26-b497aaeaecae", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6240aceb-62cf-5a6e-b83b-18312af23c75", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a6eae59c-7271-5a30-a457-43e752f9a94d", "id": "CVE-2026-27739", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-27739 is fixed in version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2093a97c-295e-540b-91d3-d5a31488761f", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1bcc661e-d4b9-5414-8d35-19ee5ee50d38", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 10.1.0-tuxcare.1 of @angular/benchpress. not_affected \u2014 Version 10.1.0 uses Node.js legacy url.parse() API which does not parse protocol-relative URLs (//host) or backslash-prefixed URLs (/\\host) in a way that allows hostname hijacking. The SSRF vulnerability only manifests when using the WHATWG URL API (new URL()) without protection." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:19154376-6e53-5ef6-99c6-b2049a0a8cbc", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:dd5270d3-fcbd-5b83-9c8b-0f6f9b60b1f6", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:dccfe439-fdcc-5660-a1b7-721467e11118", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fddb75e0-b96d-5861-a7f0-4dda7b210192", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 10.1.0-tuxcare.1 of @angular/benchpress. not_affected \u2014 Angular v10.1.0-tuxcare.2 is not affected by CVE-2026-50170. The vulnerability concerns the HTTP transfer cache feature which caches HTTP responses during server-side rendering (SSR) and replays them during client hydration. This feature was introduced in Angular v16+ and does not exist in v10.1.0. The target version has no transfer_cache.ts file, no transferCacheInterceptorFn, and no HTTP tran..." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:776038dc-0fcd-538e-a928-5b930a861f2e", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:514ad9f1-f8b4-5b35-8282-e9e126ac4c52", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b6729579-6087-5eac-a44d-4da9e900d33d", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:323b8cd5-5960-56c4-b71b-bd747239e048", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:99c156fe-6a62-5eef-bfc0-13ec32a447f5", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c36a85bf-61ed-59e5-bdb8-4dabd08c0b22", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:066a9a83-f019-5003-89e3-e8e09b6727fb", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 10.1.0-tuxcare.1 of @angular/benchpress. not_affected \u2014 Angular 10.1.0-tuxcare.2 is not affected by CVE-2026-54264. The vulnerability requires the Service Worker to preserve and forward credential headers on cross-origin redirects. In this version, AssetGroup creates fresh requests without any headers when following redirects, and DataGroup delegates to the browser's native fetch API which correctly implements the Fetch specification's header-stripp..." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:69757ce7-05a1-555a-bcc9-a97b1a75d9cf", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 10.1.0-tuxcare.1 of @angular/benchpress. not_affected \u2014 Angular 10.1.0-tuxcare.2 is not affected by CVE-2026-54265. The vulnerability targets the Ivy template pipeline architecture (Angular 17+) where TwoWayProperty IR operations were missing from sanitizer resolution. Angular 10.1.0 uses an earlier Ivy architecture that desugars two-way bindings to regular property bindings during parsing, automatically applying schema-based sanitization. The vulne..." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:13354306-be9d-5eba-8ea0-5db88679c991", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 10.1.0-tuxcare.1 of @angular/benchpress. not_affected \u2014 Angular 10.1.0 does not contain the HttpTransferCache feature. The vulnerability (CVE-2026-54266) is in HttpTransferCache's weak DJB2 hash function used for cache key generation, but this feature was introduced in Angular 16+ and does not exist in version 10.1.0. Type A1 (input absent): the INPUT handler (HttpTransferCache interceptor) is not present anywhere in the codebase." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e9c79598-68f9-5349-b97c-b1853067577c", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:165f77a8-834e-59e1-b87e-54853f7915d7", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 10.1.0-tuxcare.1 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/benchpress@10.1.0-tuxcare.1" } ] }