{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:1a0c11f7-4615-5c01-8b4b-0cf14bdd19bc", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/compiler-cli@15.2.2", "type": "library", "name": "@angular/compiler-cli", "version": "15.2.2", "purl": "pkg:npm/%40angular/compiler-cli@15.2.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:af99bbbe-e939-5f7a-80d5-8b813dd05099", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:97e61985-78d9-586b-8430-6ca9cd7e7f9b", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:c399b523-b287-5eee-ae31-5f3b1b615822", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:ee5f1498-c25f-5125-9085-c9248c7955d8", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.2 of @angular/compiler-cli. not_affected \u2014 The target repository (Angular 15.2.2-tuxcare.1) is NOT affected by CVE-2026-41423. While the target lacks the specific fix from the upstream patch, it uses a fundamentally different URL parsing mechanism (Node.js legacy url.parse()) that does not exhibit the WHATWG URL specification behavior exploited in the vulnerability." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:73d96d17-8e1c-577a-a818-5b4dc5a29acc", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:2d31b689-b720-53db-91fd-4acd9ba7e467", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:a57eb279-6e71-5370-984d-3ba1267ed963", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:acaa5a10-ffdf-568a-a768-43749d25ca87", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.2 of @angular/compiler-cli. not_affected \u2014 Angular v15.2.2 is not affected by CVE-2026-50170. The HTTP TransferCache feature, which is the subject of the vulnerability, was introduced in Angular v16.0.0 (March 2023). The target repository version (15.2.2-tuxcare.1) predates this feature entirely and does not contain the vulnerable code path." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:95e21e48-511c-5c69-9111-4918cdc37ac0", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:7182816d-eac7-5a71-b992-17461b306dab", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:0028b77d-96dc-5028-a121-f743c98624fb", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:e6e5dc3b-d262-5a7d-8967-b6c9e6f60996", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:ffadbf0b-9ec0-522b-8926-ecb9b49da58a", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:2bd3614d-ae84-50d4-b22a-ed8a8d13825d", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:83a02dc8-cb74-5d46-948e-6e10cf83c753", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:ab91127c-05bf-5ecb-bde9-8bc90735e543", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.2 of @angular/compiler-cli. not_affected \u2014 Angular v15.2.2 does not contain the vulnerable code path. The CVE-2026-54265 vulnerability affects the template pipeline's resolve_sanitizers.ts (TwoWayProperty operation), which does not exist in v15.2.2. This version uses TemplateDefinitionBuilder where two-way bindings desugar to regular property bindings that receive identical sanitization as one-way bindings." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:b7e15b23-df93-5957-994b-85cdefa1f802", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.2 of @angular/compiler-cli. not_affected \u2014 Angular 15.2.2 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature was introduced in Angular 16.0.0 (May 2023), after this version was released (March 2023). The target codebase does not contain the transfer_cache.ts module, HttpTransferCache API, or any HTTP response caching mechanism that uses hash-based cache keys." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:5dac434b-9dbf-5587-888c-d9fcb1c44569", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }, { "bom-ref": "urn:uuid:52971d0f-61fc-5015-8ef1-a980dd86658b", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.2 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.2" } ] }