{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:afa9d7fa-aba1-5593-ac15-f5d6c1dfb86f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/compiler-cli@15.2.9", "type": "library", "name": "@angular/compiler-cli", "version": "15.2.9", "purl": "pkg:npm/%40angular/compiler-cli@15.2.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:548f1ad7-f325-51a6-af4b-9b6b68dec919", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:cb8f9376-3048-587e-8061-b72ccc4fa1fd", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:f0233826-058a-5434-b197-39d376f01111", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:23604857-857c-5ec7-9f6e-370fa1615dcd", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9 of @angular/compiler-cli. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:5f3e1c39-1d53-5829-9254-6c1d3b1c4490", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:d0bdd445-2c65-535a-919a-6c0687a12d2d", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:13899583-3044-5981-a7e1-2480c0b30885", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:1e3b1243-c9fc-5408-a153-40b209108084", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9 of @angular/compiler-cli. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:42034a5f-653e-5741-b35b-24252b4866a5", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:d363476f-9527-5f51-ba2e-e4d884ad2c6d", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:ecbf8d58-51bc-51d5-b8c5-9d49397ca8b9", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:d0222e75-83c6-50aa-a025-bbaf0fb3cf4f", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:25e5849c-3bc8-574e-abbd-8c3b445394ae", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:e080261f-ce25-50ac-9fe1-702fedcb3092", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:490c3020-0904-57bb-a892-9cf389a3548d", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:94d34044-2366-5878-aaeb-9fb904f32322", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9 of @angular/compiler-cli. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:09f818f4-92be-54b4-bf08-745a67862d66", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9 of @angular/compiler-cli. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:e9c7d732-68e9-5917-8545-37ce6b5ea330", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }, { "bom-ref": "urn:uuid:cf42fcc9-2eb8-5e6f-8b05-155ed24ec179", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/compiler-cli@15.2.9" } ] }