{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:b8fbba8f-d8c3-5a77-bee5-eed49913f1dc",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1",
      "type": "library",
      "name": "@angular/benchpress",
      "version": "16.2.7-tuxcare.1",
      "purl": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:1b7a5ee9-6668-533e-8c99-a0d5ca71e6ab",
      "id": "CVE-2025-59052",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-59052 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:12a5bd74-824f-56d0-92fe-fa6e7bff981c",
      "id": "CVE-2025-66035",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-66035 is fixed in version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e83ce52e-1ee9-52bd-923c-03801d96ce1b",
      "id": "CVE-2025-66412",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-66412 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2d0dd907-80ec-5679-b48b-4e3c12b36500",
      "id": "CVE-2026-22610",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22610 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f8917777-7125-5079-ad07-b515d8e91554",
      "id": "CVE-2026-27970",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-27970 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5e32bffd-1c72-5338-968b-3e695fb9db5b",
      "id": "CVE-2026-41423",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-41423 does not affect version 16.2.7-tuxcare.1 of @angular/benchpress. not_affected \u2014 The target repository (Angular 16.2.7-tuxcare.1) uses Node.js legacy url.parse() API which is not vulnerable to the protocol-relative URL SSRF attack that affects WHATWG new URL() API. The vulnerability requires new URL(urlStr, origin) where protocol-relative URLs (//evil.com) can override the hostname component of the base URL. The target's url.parse() treats such inputs as pathname strings wi..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2356b5be-64e7-53ef-ae94-ae545218c855",
      "id": "CVE-2026-46417",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46417 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4eeff95d-36fd-531a-85d2-fcc420e74479",
      "id": "CVE-2026-50168",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50168 does not affect version 16.2.7-tuxcare.1 of @angular/benchpress. not_affected \u2014 Angular v16.2.7 is not affected by CVE-2026-50168. The vulnerability exists in the relativeUrlsTransformerInterceptorFn HTTP interceptor that resolves relative URLs on the server, but this interceptor was added to Angular in October 2023 (commit 0c66e2424c), after v16.2.7's September 2023 release. Without this interceptor, relative HTTP requests fail rather than being resolved, preventing SSRF ..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d7924a63-3da1-561a-9781-fe8552020fe9",
      "id": "CVE-2026-50169",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50169 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:92e0e5e4-f531-572c-ba16-caf6957a9f3c",
      "id": "CVE-2026-50170",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50170 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0132e049-c738-576f-8e2f-55c1d88e5fa5",
      "id": "CVE-2026-50171",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50171 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:bbe9816e-6205-544f-85c0-184fc705ec6e",
      "id": "CVE-2026-50184",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50184 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:03cff966-b715-5569-8752-e90d701f5b96",
      "id": "CVE-2026-50555",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50555 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d0d566df-be45-5ac9-afe1-ada8b7885042",
      "id": "CVE-2026-50556",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50556 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d0cf68fa-caf4-5645-84dc-cfc54a23f441",
      "id": "CVE-2026-50557",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50557 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:eb7cb214-b8dc-5ee8-a3af-8ea9bd6f7494",
      "id": "CVE-2026-52725",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-52725 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1e7d63d0-031a-59f7-b9dd-e57e8177e370",
      "id": "CVE-2026-54264",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54264 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:83880f4b-a10f-5db8-a61c-76e29d4aa072",
      "id": "CVE-2026-54265",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54265 does not affect version 16.2.7-tuxcare.1 of @angular/benchpress. not_affected \u2014 Angular v16.2.7 is not affected by CVE-2026-54265. The vulnerability is specific to Angular versions (20+) that introduced the TwoWayProperty IR operation kind. In v16.2.7, two-way property bindings are desugared to regular Property bindings before IR generation, and Property bindings ARE covered by sanitizer resolution, ensuring proper sanitization."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2b67ec7c-e3d3-548d-b7f0-f3074c2990be",
      "id": "CVE-2026-54266",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54266 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cfd4606f-4588-5d7b-b0e0-fdb6aec9aed5",
      "id": "CVE-2026-54267",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54267 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:27469bf3-bea1-56bd-8df8-c31393cec6d5",
      "id": "CVE-2026-54268",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54268 affects version 16.2.7-tuxcare.1 of @angular/benchpress."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40angular/benchpress@16.2.7-tuxcare.1"
    }
  ]
}