{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f12e68c9-b7f6-5de6-a472-c5850281b179", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1", "type": "library", "name": "@angular/compiler", "version": "14.2.12-tuxcare.1", "purl": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:95499c74-2007-5f6c-b460-2b276253a324", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:90ef00e7-2398-5579-a7b9-0302c7591b2e", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:488678e7-c78c-57d3-8894-4308f46ebb2f", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9772f422-0094-5e5e-8dc2-ecae7931bacf", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:87ae0b73-f511-536c-8e83-5b5065943fdd", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:edb19f02-0030-5d1c-8e08-98ea4d0a1a0a", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:566ed584-a493-5657-b53d-fd319309f643", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4cd1e6e5-3c95-5fcb-bf24-dca9ecdc7743", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a4785fa3-c4d1-5e84-8060-2a1971f420e2", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 14.2.12-tuxcare.1 of @angular/compiler. not_affected \u2014 Angular v14.2.12-tuxcare.1 is not affected by CVE-2026-50170. The HTTP TransferCache feature and client hydration mechanism that contain the vulnerability were introduced in Angular v16+. This version predates that feature introduction and does not have the vulnerable code path." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7ce807ba-6989-503d-8ef2-f79a8f35eace", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2592ad0b-1225-5334-8fe2-fceffae53544", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ccc1a67c-0004-567d-980f-0f6dd39d79c1", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6feff6cc-0ffe-5216-a45a-e8d52cb7f844", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bacd2079-c080-543b-bc33-c10b8c4ad529", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6305aefb-894c-51bd-9cbd-745c63a9db05", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0e5f2bf4-435b-5cbc-96c5-9f405fc5c8e9", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1d69718f-0096-5a2f-a1ef-a4607d6631d0", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 14.2.12-tuxcare.1 of @angular/compiler. not_affected \u2014 Angular 14.2.12-tuxcare.1 is not affected by CVE-2026-54265. This version uses the pre-pipeline compiler architecture where two-way bindings are desugared into separate property and event bindings, both of which go through proper sanitization. The vulnerability only exists in Angular 17.3.0+ where the template pipeline with TwoWayProperty IR operation was introduced." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0cc90ef1-6b88-556a-9ee9-d88c257efde3", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 14.2.12-tuxcare.1 of @angular/compiler. not_affected \u2014 Angular 14.2.12 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. The target has no code path that generates cache keys from HTTP request parameters, and therefore cannot experience cache key collisions." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:df2173ab-f933-596a-b772-240b10a97bbf", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fcdfa540-352f-549d-a242-14f72c58e493", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 14.2.12-tuxcare.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/compiler@14.2.12-tuxcare.1" } ] }