{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:b753a80b-e6a4-53bd-854c-9eeb1385ce57", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2", "type": "library", "name": "@angular/common", "version": "5.1.0-tuxcare.2", "purl": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d46eda85-ed3f-53aa-9757-b7839c7e3d69", "id": "CVE-2017-1000048", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2017-1000048 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9ff5260f-0d9d-5a40-b097-bd1c7c2761da", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f8531c5c-a6b4-5248-8184-3759cbdfdcc9", "id": "CVE-2022-24999", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-24999 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ef489ff8-c8c8-5727-b275-2cafb538cdcc", "id": "CVE-2024-21534", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-21534 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:98eb966b-d890-5edb-9fe0-8307ae8dd167", "id": "CVE-2024-21538", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-21538 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:aee72598-c48b-5e70-ab86-9abb2a41628c", "id": "CVE-2025-1302", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-1302 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0ac5a173-0f2d-52ef-b6ba-ef4a07308d4a", "id": "CVE-2025-15284", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-15284 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:cebf0a10-84a1-513f-8117-e51d74dc2f5d", "id": "CVE-2025-66035", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66035 affects version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1930b2b5-c45f-53c6-8e2c-2788a218708f", "id": "CVE-2025-66412", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66412 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b69a25c1-8ca2-589a-b869-82b8afdac1dc", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:654d9802-9467-5a1b-86e5-334de9c24348", "id": "CVE-2026-27903", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-27903 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6422f1ee-11eb-5a28-8b59-ca1f1d491f26", "id": "CVE-2026-27904", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-27904 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9fdf512e-fcf6-535d-bad0-7864e72a2276", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a31e197f-4053-5cee-9290-d4bb41ae73a4", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 5.1.0-tuxcare.2 of @angular/common. not_affected \u2014 The target repository (Angular 5.1.0) uses Node.js url.parse() API which does not extract hostname from protocol-relative URLs (//evil.com/path), unlike the WHATWG URL API used in vulnerable upstream versions. Additionally, Angular 5.1.0's PlatformLocation architecture does not expose hostname/protocol/port fields, only pathname/search/hash. The vulnerability mechanism (WHATWG URL's protocol-re..." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a1198720-8bbc-58e7-a62b-07379f6e631e", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:01bfd20a-0c57-5c79-aa39-32636df5661b", "id": "CVE-2026-50168", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50168 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b033212a-7c5b-5bc8-a8dc-b0c8c33d68e7", "id": "CVE-2026-50169", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50169 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6c25b175-82b9-5043-8624-b5be5511a6c8", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 5.1.0-tuxcare.2 of @angular/common. not_affected \u2014 Angular 5.1.0 is not affected by CVE-2026-50170. The vulnerability exists in the HTTP Transfer Cache feature, which was introduced in Angular 16+ and does not exist in this version. While Angular 5.1.0 supports HTTP requests with Cookie headers and withCredentials flags, it lacks the transfer cache mechanism that would cache and reuse these responses during SSR hydration, making the attack chai..." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7bcee3b3-d800-5c1b-95b9-893cfb9505ac", "id": "CVE-2026-50171", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50171 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:afeb66de-0b01-585c-9758-ed253385565f", "id": "CVE-2026-50184", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50184 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:99a58a3f-ab39-5d80-b8d9-c16dd8e41777", "id": "CVE-2026-50555", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50555 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8faeadea-cbf1-574d-9e69-51759a37b5d6", "id": "CVE-2026-50556", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50556 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7967d7a5-5ab9-556b-b191-9bcff8bc53bb", "id": "CVE-2026-50557", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50557 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8b7b257a-d3af-52eb-b9ce-f43f748152f3", "id": "CVE-2026-52725", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-52725 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:875f908e-bb81-5df7-8679-b79c04a5e279", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 5.1.0-tuxcare.2 of @angular/common. not_affected \u2014 Angular 5.1.0-tuxcare.1 is not affected by CVE-2026-54264. The service worker in this version does not preserve or forward request headers when reconstructing asset requests, eliminating the vulnerability pattern entirely. Asset requests are rebuilt from URLs only, with no header copying logic." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c51156cd-242a-595a-9224-1add775b0d60", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 5.1.0-tuxcare.2 of @angular/common. not_affected \u2014 Angular 5.1.0 uses View Engine architecture, not Ivy. The CVE-2026-54265 vulnerability is specific to Ivy's TwoWayProperty IR operation in the resolve_sanitizers phase, which does not exist in View Engine. In View Engine, two-way bindings ([()] and bindon-) desugar through the same parsePropertyBinding() code path as one-way bindings, inheriting identical sanitization behavior." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:eb87fb0b-da84-5fd1-9a5f-7d5bb584eafd", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 5.1.0-tuxcare.2 of @angular/common. not_affected \u2014 Angular version 5.1.0 is NOT AFFECTED by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. There is no transfer_cache.ts file, no generateHash function using weak DJB2 hashing, and no mechanism to cache HTTP requests in TransferState using hash-based keys. The attack chain from HTTP requests to cache key collision cannot..." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1e8bf9b4-969e-5a1b-9df7-b2117255e329", "id": "CVE-2026-54267", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-54267 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b0af9d30-b5a0-5143-a1d2-edd6169c6ad0", "id": "CVE-2026-54268", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-54268 is fixed in version 5.1.0-tuxcare.2 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/common@5.1.0-tuxcare.2" } ] }