{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:37160e89-41b3-52d0-81e9-c3488a380538", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1", "type": "library", "name": "@angular/common", "version": "14.2.12-tuxcare.1", "purl": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f7efcdac-0cf3-5c51-816e-a8bff2e9794c", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f271c8f4-cb6d-5713-ac6c-d36304bcd420", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:302305bf-aa4e-50e8-b605-100d610ccb39", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:26c4ddfd-4e3e-5aa8-aa66-0875b8ec188d", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2d351a4f-1543-5734-9266-a9b49af3afba", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2aa53436-10dd-5875-8fa2-75e7ff371b35", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9ed7b5a8-0a64-5328-8edb-bac83a28da50", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c88ed2a3-5e05-52a4-9ec9-09650696b494", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d87d2c40-0d29-5276-8769-9b9b5e79174c", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 14.2.12-tuxcare.1 of @angular/common. not_affected \u2014 Angular v14.2.12-tuxcare.1 is not affected by CVE-2026-50170. The HTTP TransferCache feature and client hydration mechanism that contain the vulnerability were introduced in Angular v16+. This version predates that feature introduction and does not have the vulnerable code path." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:62ab7dac-1257-572e-bb9c-b79e67e71c25", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:000f2e7f-058c-5059-a8e1-b9ba208dc99f", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5741a5d9-06f1-50d7-8681-4879a5fa5777", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0a3134e8-b394-57ea-8109-b5ec3f956190", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6e93f27f-b92a-5c51-8825-f9757f281b9e", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c20e35fb-06b8-5d62-856d-54c93cf33f28", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4f071ae6-05a0-56e9-8da0-f210bec49eeb", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cce3aab9-1c5b-5fd6-a000-c364d5c439f8", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 14.2.12-tuxcare.1 of @angular/common. not_affected \u2014 Angular 14.2.12-tuxcare.1 is not affected by CVE-2026-54265. This version uses the pre-pipeline compiler architecture where two-way bindings are desugared into separate property and event bindings, both of which go through proper sanitization. The vulnerability only exists in Angular 17.3.0+ where the template pipeline with TwoWayProperty IR operation was introduced." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e611b7c1-e3c7-5513-90a5-ed01ae8b4056", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 14.2.12-tuxcare.1 of @angular/common. not_affected \u2014 Angular 14.2.12 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. The target has no code path that generates cache keys from HTTP request parameters, and therefore cannot experience cache key collisions." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1b5fd598-8302-5410-82b2-711a7ef4813e", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1d6e69cf-ea67-5fb1-b63a-ea183cb8a222", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 14.2.12-tuxcare.1 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/common@14.2.12-tuxcare.1" } ] }