{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:458617c6-fdae-5dd6-8fee-2b99983ce32d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1", "type": "library", "name": "@angular/compiler-cli", "version": "15.2.9-tuxcare.1", "purl": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:64e5ce5e-e432-5088-84bb-dbc25c4ec8fb", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:47ce11f9-0869-542c-a4f3-7f19667f98c2", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8764f011-7b0d-5a40-b637-b51062f69384", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2adb253e-39c2-5055-9c0c-bc2469db49be", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bc61866d-8833-5f2a-8e5c-0c8a6ad39886", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9-tuxcare.1 of @angular/compiler-cli. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ec939898-3c1d-5b98-8cdc-f0511e9c0688", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b47cd119-1bca-59d5-b755-395ab94aa3f6", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:15f61269-4351-547c-bfa8-4d85d767bb36", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3e6547b7-0609-5eb1-a8b4-5c240aad113a", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9-tuxcare.1 of @angular/compiler-cli. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e2154423-e5ea-5ab5-b4ca-dd19cf37d13a", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:358e233f-2481-5ef5-ab61-71bc198eea76", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1bb24dc0-75eb-5142-9e67-43115b778aa5", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:856ec2c4-0fc4-553c-bf14-cb442f376f2f", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7cc8d109-86ce-5b8d-b1de-0c21f8e47fda", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:76d6214a-c499-5191-9ea7-a939235780b6", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cd795069-ee7c-57cc-8e40-da68148a5bb0", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5fe90910-1cb0-568a-88c9-5a941a63f172", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9-tuxcare.1 of @angular/compiler-cli. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7e97ecc1-86ee-5dfd-bf54-ef47420500df", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9-tuxcare.1 of @angular/compiler-cli. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4338f0d7-db00-58a2-a883-f0c4664c2d68", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fc6f9593-f88b-5978-9d2a-3018472c9e8d", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9-tuxcare.1 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9-tuxcare.1" } ] }