{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:1583a55f-f805-598a-84b0-b79aea014b5b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/benchpress@15.2.9", "type": "library", "name": "@angular/benchpress", "version": "15.2.9", "purl": "pkg:npm/%40angular/benchpress@15.2.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:5386be3a-7b81-5aa2-8073-5e2512716080", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:ac6d2596-1df9-5e77-9b50-061cf77f7101", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:18bc88d3-077d-5558-b20a-6cecd031caad", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:46af251e-33a6-59c0-b466-e790d140c7ae", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9 of @angular/benchpress. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:4790a137-7acf-5984-97e8-d823ebd75467", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:2eb0681e-4d1d-5683-a781-570fdf75126b", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:35af32fd-691f-50d2-9151-51e723f38da4", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:ffaf72a2-3495-5a54-af1d-3eb48d8bd71c", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9 of @angular/benchpress. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:2b87c4b2-0190-5c63-9133-fd03b0b781da", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:2e00bbf5-edfd-5ea6-bf40-6e68c910ea30", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:4a7f9e10-c27a-526c-8c10-c0451eca52ae", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:0e4ee3de-602f-5b54-b50c-6d1a3b8e2a2d", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:2b16b441-6960-5a86-ad73-c1a5ad76602e", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:6442366a-41e6-5688-b3e5-042ab0f51057", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:6f64f76d-3ab6-5e20-874b-2864b82a6c70", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:34c99545-f13c-534e-b7ed-f87171abda6a", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9 of @angular/benchpress. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:42d673c2-68e4-59fb-a42d-8b8a921a35ab", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9 of @angular/benchpress. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:0d8af402-2a43-53b1-bda5-2a17d8b1d942", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }, { "bom-ref": "urn:uuid:4fcfb32f-d821-5508-9e3d-04298cffea60", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9 of @angular/benchpress." }, "affects": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/benchpress@15.2.9" } ] }