{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e3920265-e88c-53db-96ed-15e5f98dfee0", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1", "type": "library", "name": "@angular/compiler-cli", "version": "12.0.0-tuxcare.1", "purl": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:8d329387-9f5a-561f-8204-f74f21cf0970", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8d8c792b-decc-5132-ae87-0bb6ca6af8c5", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1a789c00-002b-551f-95a6-a678fb45a588", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:48be9e31-f59d-5b48-9e11-88c7aaeb90df", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6f71fbea-68cd-525c-9a62-45cd9f686992", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 12.0.0-tuxcare.1 of @angular/compiler-cli. not_affected \u2014 The target repository (Angular v12.0.0-tuxcare.2) is not affected by CVE-2026-41423. This version uses Node.js url.parse() for URL parsing, which does not exhibit the hostname override vulnerability. The CVE affects Angular versions 21.0.4+ where the codebase was refactored to use the URL constructor with a base parameter, allowing protocol-relative URLs (//evil.com) to override the hostname. T..." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a816ec79-6ab8-568e-9a5d-7327dbc3d8c8", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b5ce2986-3c3f-5813-bbad-ab8ce3238636", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7ad9aae7-26bc-5e81-93ec-9cf4763d1c86", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a9bad428-7813-5461-be74-b6b832ad0092", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 12.0.0-tuxcare.1 of @angular/compiler-cli. not_affected \u2014 Angular v12.0.0-tuxcare.2 is not affected by CVE-2026-50170. The HTTP transfer cache feature that contains the vulnerability does not exist in this version. The transfer cache was introduced in Angular v16+, while this is version 12." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b47f82e4-3c84-5555-bc0a-744db43d854e", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d3d2519c-767d-503d-91d2-17d02d69f870", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5e00b8c2-e9be-5b02-aa2d-8de2d30246f7", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1b628c3c-2214-5a9d-98ba-18523aeb23fb", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0e418fc3-e864-5c18-a09e-9c53bb771ffe", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:963d776d-68bf-551b-bdbe-33ee2f9c10d2", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0f755530-921a-5b85-99a0-d78d57cac4ec", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 12.0.0-tuxcare.1 of @angular/compiler-cli. not_affected \u2014 Angular version 12.0.0 is not affected by CVE-2026-54264. The service worker's AssetGroup class does not preserve request headers when making network requests, including on cross-origin redirects. Version 12.0.0 predates the architectural change that introduced metadata preservation (including headers), which was later found to be vulnerable in versions 20.x-22.x." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:485e32e0-e456-5ee6-aac1-2f761a4560e6", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 12.0.0-tuxcare.1 of @angular/compiler-cli. not_affected \u2014 Angular 12.0.0-tuxcare.2 is not affected by CVE-2026-54265. The vulnerability is specific to the Ivy template pipeline architecture with TwoWayProperty IR operations (introduced in Angular 20+). Angular 12 uses a different architecture where two-way bindings are desugared at parse time into separate property and event bindings, and the property binding is sanitized through the same code path as..." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9441e2e0-d864-5153-b24f-37437b98d5dc", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 12.0.0-tuxcare.1 of @angular/compiler-cli. not_affected \u2014 Angular v12.0.0-tuxcare.2 is not affected by CVE-2026-54266. The HttpTransferCache feature containing the weak DJB2 hash vulnerability does not exist in this version - it was introduced in Angular v16+." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f9a1bccd-6393-565b-9866-0b0f74c0c776", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0f2e3f30-d5e5-5125-82fd-38797e0431b0", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 12.0.0-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/compiler-cli@12.0.0-tuxcare.1" } ] }