{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:8945c029-4a4a-5ae2-b1e3-0f9ea2337b31", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/compiler-cli@4.3.5", "type": "library", "name": "@angular/compiler-cli", "version": "4.3.5", "purl": "pkg:npm/%40angular/compiler-cli@4.3.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a48e5c16-7067-5efc-a0ef-aa4c0a28667c", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 4.3.5 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:2040ecdc-8d36-5d50-a52d-15892830453e", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 4.3.5 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:f0c2b953-707d-5be8-9419-04b6c447270f", "id": "CVE-2026-27970", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-27970 does not affect version 4.3.5 of @angular/compiler-cli. not_affected \u2014 Angular 4.3.5 is not affected by CVE-2026-27970. The vulnerability requires the Ivy rendering engine's runtime ICU processing (walkIcuTree function in render3/i18n/i18n_parse.ts), which does not exist in Angular 4.3.5. Angular 4 uses the View Engine architecture with compile-time i18n processing, preventing the attack chain from completing." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:907ec78d-ea84-5db2-8e59-6ef10ef5946f", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 4.3.5 of @angular/compiler-cli. not_affected \u2014 Angular 4.3.5 is not affected by CVE-2026-41423. The target uses Node.js legacy url.parse() API instead of WHATWG URL API, and ServerPlatformLocation does not expose hostname/protocol/port fields. The vulnerability pattern cannot manifest in this architecture." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:26bcb44d-8d50-5768-96a2-60ccecfdda9c", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 4.3.5 of @angular/compiler-cli." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:ca8a9f43-4cc7-5f64-a428-402bf5827790", "id": "CVE-2026-50168", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50168 does not affect version 4.3.5 of @angular/compiler-cli. not_affected \u2014 The target repository (Angular v4.3.5-tuxcare.2) is not affected by CVE-2026-50168. The vulnerability requires features and code paths that do not exist in this older Angular version. The target uses a fundamentally different architecture: Node's url.parse() instead of WHATWG URL API, parseDocument() does not accept a URL parameter, no relativeUrlsTransformerInterceptorFn for URL transformation..." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:06a8ee96-7d62-5221-aac8-514c1efccc97", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 4.3.5 of @angular/compiler-cli. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:a08a690f-b5e1-5076-95d3-3723d2d23ab6", "id": "CVE-2026-50171", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50171 does not affect version 4.3.5 of @angular/compiler-cli. not_affected \u2014 Angular 4.3.5 is not affected by CVE-2026-50171. This version uses the native Intl.NumberFormat API which has built-in ECMAScript-specified bounds checking (minimumIntegerDigits: 1-21, fractionDigits: 0-20). When large digit values are provided, Intl.NumberFormat throws a RangeError instead of causing resource exhaustion. The vulnerable roundNumber function with unbounded array allocation exist..." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:8b971328-47e7-514e-b0c1-d8e6d5785594", "id": "CVE-2026-52725", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-52725 does not affect version 4.3.5 of @angular/compiler-cli. not_affected \u2014 Angular v4.3.5 is not affected by CVE-2026-52725. This version uses View Engine exclusively and lacks both the vulnerable Ivy render3/locateHostElement code path and the public createComponent({hostElement}) API (introduced in v14+) that enables exploitation. The vulnerability is specific to Ivy's component mounting implementation." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:83a6acf4-e470-5a8a-9a5b-ea6e9a5d8cb0", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 4.3.5 of @angular/compiler-cli. not_affected \u2014 Angular 4.3.5-tuxcare.2 uses View Engine, not Ivy. The CVE-2026-54265 vulnerability is specific to Ivy's TwoWayProperty operation in the template compiler pipeline, which does not exist in View Engine. In View Engine, two-way bindings [(prop)] and bindon-prop desugar through the same parsePropertyBinding() code path as one-way bindings [prop], ensuring they receive identical schema-derived sani..." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:a55301f3-f320-5104-9b91-09537a4a1c39", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 4.3.5 of @angular/compiler-cli. not_affected \u2014 Angular 4.3.5 is NOT affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without the transfer cache mechanism, there is no hash function to collide, no cache to poison, and no attack surface for this vulnerability." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }, { "bom-ref": "urn:uuid:d5f9f4c8-86e0-573b-83dd-a6c5e990d976", "id": "CVE-2026-54267", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54267 does not affect version 4.3.5 of @angular/compiler-cli. not_affected \u2014 Angular v4.3.5 is not affected by CVE-2026-54267. The SSR Hydration TransferState feature that contains the DOM clobbering vulnerability was introduced in Angular v16. Version 4.3.5 does not contain the vulnerable code pattern (getElementById followed by JSON.parse of textContent for hydration state), the TransferState APIs, or any client-side hydration mechanism." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/compiler-cli@4.3.5" } ] }