{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5bf792f3-b123-59e5-aaf7-ecac7e5499f9", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/common@7.2.11", "type": "library", "name": "@angular/common", "version": "7.2.11", "purl": "pkg:npm/%40angular/common@7.2.11" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:2485fe01-7cbd-5e45-9821-d5602b9d81b8", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:e9974ad5-4995-5abb-9dd0-1d4d6bcbef90", "id": "CVE-2025-66412", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66412 is fixed in version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:f0b2da6e-9587-55a0-971c-3bca562fa834", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:30e96448-ecc1-5d8d-b404-484ffc9c25f2", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:71624fa1-9f5e-50de-90c4-b7fc590b2ed8", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:892adce3-f8bf-574c-9286-bdbacf95f2f3", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:032b9dc7-9524-5f87-a50d-f2e7e6730863", "id": "CVE-2026-50168", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50168 does not affect version 7.2.11 of @angular/common. not_affected \u2014 CVE-2026-50168 addresses vulnerabilities in the WHATWG URL-based parseUrl implementation and allowedHosts validation feature introduced in Angular's CVE-2026-41423 fix. The target (v7.2.11) uses a completely different architecture with Node.js legacy url.parse() and does not have the allowedHosts feature. The specific vulnerable code patterns that CVE-2026-50168 patches do not exist in this ver..." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:fef2f5b1-1757-59a6-9ae2-68dc1be7d96e", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:2c1aa61a-98a5-571a-8151-9cc7c939c340", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 7.2.11 of @angular/common. not_affected \u2014 Angular v7.2.11 is not affected by CVE-2026-50170. The HTTP Transfer Cache feature that is vulnerable does not exist in this version. The feature was introduced in Angular v16+, and v7.2.11 lacks the transfer_cache.ts module, withHttpTransferCache provider, and provideClientHydration functionality entirely." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:bc579c49-7c17-58da-84f2-9acbc0f5c853", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:1bc0c3e1-4053-5763-a0b1-49f0452ab969", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:abcdf9e3-d42c-57f9-b021-eaa99e5e4d09", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:d30d9968-e220-51e3-bc1c-209101a73672", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:6ab1251f-330a-5169-af65-da45c7f7ceea", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:1795b0de-9c94-52e4-994f-236ed9a034bc", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:0ff55bf1-9d1e-58c8-945c-e9a8b4fa9d4c", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 7.2.11 of @angular/common. not_affected \u2014 Angular 7.2.11-tuxcare.2 is not affected by CVE-2026-54264. The vulnerability concerns sensitive header leakage on cross-origin redirects in the request metadata preservation feature. This version predates that feature entirely - it strips ALL request headers when making network requests for assets, as evidenced by code comments and the absence of the newRequestWithMetadata method introduced in..." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:a4e330d0-979c-5332-9dae-6a48dc2b067c", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 7.2.11 of @angular/common. not_affected \u2014 Angular 7.2.11-tuxcare.2 uses View Engine compiler architecture, not Ivy. The vulnerability (CVE-2026-54265) is specific to Ivy's template compiler pipeline where TwoWayProperty operations were missing from the sanitizer resolution switch. View Engine does not have TwoWayProperty operations; two-way bindings desugar early in the template parser to the same parsePropertyBinding() code path as on..." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:98039832-f186-5c3e-98e8-66c8efc309b8", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 7.2.11 of @angular/common. not_affected \u2014 Angular 7.2.11-tuxcare.2 is not affected by CVE-2026-54266. The HttpTransferCache feature that contains the weak hash vulnerability does not exist in this version - it was introduced in Angular 16." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:86c00117-51f1-54c6-b335-adb8513d9807", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }, { "bom-ref": "urn:uuid:ebdb42b5-a084-5ff3-860d-9f672ec27b0f", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 7.2.11 of @angular/common." }, "affects": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/common@7.2.11" } ] }