{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e857face-2b76-5c2f-92b4-2a7cd868e9c1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/compiler@15.2.1", "type": "library", "name": "@angular/compiler", "version": "15.2.1", "purl": "pkg:npm/%40angular/compiler@15.2.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:082ac4d5-57c3-5ccc-a673-a38be4eae815", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:5f1a1f46-525f-59d1-b4ae-684204ac651b", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:aa14b821-359e-51e9-9005-b4c4d3ccb605", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:b5a5aee3-2a06-5e52-a83b-81ef4002a60b", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.1 of @angular/compiler. not_affected \u2014 The target Angular version 15.2.1 uses Node.js url.parse() API which does not exhibit the protocol-relative URL hostname override vulnerability. The vulnerable behavior was introduced in Angular 17+ when the code was refactored to use WHATWG new URL() API. Version 15.2.1 is not affected by CVE-2026-41423." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:b6022250-3020-5343-b849-a5e448080658", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:3ec7d5af-b425-5d3a-9f50-363c0b9f634c", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:331753ab-9faa-528c-84b3-a6dff6f5f39c", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:61631d11-4955-5b6c-abcc-8f32c0b1b19a", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.1 of @angular/compiler. not_affected \u2014 Angular 15.2.1 is not affected by CVE-2026-50170. The HTTP transfer cache feature that contains the vulnerability was introduced in Angular v16+ and does not exist in version 15.2.1. The target repository lacks the entire affected component (packages/common/http/src/transfer_cache.ts) and all related transfer cache functionality." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:7c1bed4e-b46c-5e0a-bde9-3131138dbb23", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:1796fc01-1d0d-542a-9281-6e276c3920b0", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:2a00b7cb-84d2-5e4c-b918-201f2d7893f6", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:45b88e0f-2972-5224-8e21-17a2acd3e468", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:6711e0aa-6a90-5d38-91b8-f959900d16be", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:2404b330-d48f-507b-87bf-cf5abfe47fc8", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:a3f33378-1ced-5bd6-b3bc-b99e6ed128ea", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:0086b3ef-b885-562c-b7c5-c523d2993374", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.1 of @angular/compiler. not_affected \u2014 Angular 15.2.1-tuxcare.1 is NOT AFFECTED by CVE-2026-54265. The vulnerability exists only in Angular 16+ where the template pipeline architecture introduced a TwoWayProperty operation kind that was missing from the sanitizer resolution switch. Angular 15.2.1 uses the pre-pipeline Ivy compiler where two-way bindings desugar through the same parsePropertyBinding() as one-way bindings, inheriting ..." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:830cb8ab-57e9-5e9c-b0ef-4a6458af09b0", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.1 of @angular/compiler. not_affected \u2014 Angular 15.2.1 does not contain the HttpTransferCache feature, which was introduced in Angular 16.0.0. The vulnerable code path involving hash-based HTTP request caching does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:a2f7eb0e-bc1e-5a55-8ee0-bba1dfcc758a", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }, { "bom-ref": "urn:uuid:4a1843df-4dff-5cb3-950a-171f0519ebda", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.1 of @angular/compiler." }, "affects": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/compiler@15.2.1" } ] }