{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:ed206ea5-5c7d-56eb-95c7-9749d275baf2", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6", "type": "library", "name": "@angular/core", "version": "10.2.5-tuxcare.6", "purl": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:079152c2-8d32-5ead-8bce-d69f9daf021d", "id": "CVE-2021-4231", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2021-4231 does not affect version 10.2.5-tuxcare.6 of @angular/core. already_fixed \u2014 CVE-2021-4231 XSS vulnerability through HTML comment injection in SSR is already fixed in Angular 10.2.5-tuxcare.7. The target contains the complete escapeCommentText defense function and applies it correctly in all vulnerable code paths where user-controlled binding values are inserted into HTML comment nodes during debug/development mode." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:72ad31e6-8df5-5a63-b48f-9570fd3f0467", "id": "CVE-2025-66035", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66035 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1bf39387-e446-5655-8959-fb6ee2c7707c", "id": "CVE-2025-66412", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66412 is fixed in version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5b915030-03d3-5bb6-8ed4-53cf87d2c997", "id": "CVE-2026-22610", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22610 is fixed in version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:07382b52-5782-572e-a315-10d7ceadb6f3", "id": "CVE-2026-27970", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-27970 is fixed in version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c2ca1887-3517-5ac2-b98d-7b906632b812", "id": "CVE-2026-41423", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41423 is fixed in version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:cf53d606-8fa0-510b-96a2-d928f84aef9e", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0395d8ec-da41-56af-be0e-29f9c7207495", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:dfe6e2a9-bb02-504f-b258-874b45b59277", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:18d80db5-22cc-52ae-bfee-beb9f9fd2dd4", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 10.2.5-tuxcare.6 of @angular/core. not_affected \u2014 Angular v10.2.5-tuxcare.7 is NOT AFFECTED by CVE-2026-50170. The HTTP transfer cache feature that contains the vulnerability does not exist in this version. The feature was introduced in Angular v16 (released 2023), while v10.2.5 was released in April 2021." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4b1b8afb-edc9-519b-858d-5edb180271f8", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7405afbe-0dad-587c-9ba0-ec1bbbe3b846", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3da8c7d5-42c5-5075-9884-d8d793135dcd", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4affced3-3f74-5916-a876-41bf1ac450f0", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:219c1d4f-d75c-5738-94aa-f5307a9be177", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:50921c21-1f34-584a-b4f1-8949dfce079d", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f39a174a-a076-5c51-abd3-ff596090a154", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 10.2.5-tuxcare.6 of @angular/core. not_affected \u2014 Angular version 10.2.5-tuxcare.7 is NOT affected by CVE-2026-54264. The service worker in this version does not preserve request headers when creating network requests, making it impossible for sensitive headers to leak on cross-origin redirects. The vulnerable code pattern (newRequestWithMetadata with header preservation) does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:53dc02af-0cb5-5bd0-90cd-92527d840ec0", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 10.2.5-tuxcare.6 of @angular/core. not_affected \u2014 Angular 10.2.5-tuxcare.7 is NOT affected by CVE-2026-54265. The vulnerability requires the Ivy template compiler pipeline architecture with separate TwoWayProperty operations, which was introduced in Angular 20+. This version uses an early Ivy architecture where two-way bindings desugar through the same parsePropertyBinding() code path as one-way bindings, automatically receiving the same sanit..." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:faf6f020-0cb6-5af4-9f63-2f82e585ef38", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 10.2.5-tuxcare.6 of @angular/core. not_affected \u2014 Angular v10.2.5 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hashing does not exist in this version\u2014it was introduced in Angular v16+. Exhaustive searches confirm the complete absence of transfer_cache.ts, generateHash function, and all HttpTransferCache-related code." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9fea5581-264b-541d-b703-c4729e540832", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5339a936-7b0a-5fcc-a2db-cc087d6819b1", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 10.2.5-tuxcare.6 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/core@10.2.5-tuxcare.6" } ] }