{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c065e850-24c7-56de-8dfe-f56656139e46", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/core@12.2.0", "type": "library", "name": "@angular/core", "version": "12.2.0", "purl": "pkg:npm/%40angular/core@12.2.0" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b2b3ee76-624d-53e4-8776-09255bea010f", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:6ecf22c5-0a57-52b2-a026-032be3ae368f", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:fa36c78a-d521-5cff-a99d-ff12ba1ae672", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 12.2.0 of @angular/core. not_affected \u2014 The target Angular version 12.2.0-tuxcare.2 is NOT AFFECTED by CVE-2026-41423. This version uses the Node.js legacy url.parse() API which does not parse protocol-relative URLs (//host) as absolute URLs. The vulnerable code pattern using WHATWG URL API (new URL(urlStr, origin)) was introduced in a later refactoring in October 2023 and does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:41b82021-11ed-59de-8aa2-34b7a8eb3fad", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:d6a8e10c-0f62-5db8-8139-52c27f48c45c", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:904a050d-879f-5fd6-b37e-1415056294d5", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:89b09a30-26d1-5e58-951a-8ee65fb183a1", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 12.2.0 of @angular/core. not_affected \u2014 Angular 12.2.0-tuxcare.2 is not affected by CVE-2026-50170. The HTTP transfer cache feature that contains the vulnerability was introduced in Angular v16 (June 2022), approximately one year after Angular 12.2.0 was released (July 2021). The vulnerable component (transfer_cache.ts) and related APIs (provideClientHydration, withHttpTransferCache) do not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:64998d6e-8738-5f82-aa29-628d2c5e89a4", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:be8c6184-5acd-5310-84a5-40d46f817885", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:35e04f8c-b651-56f9-81ce-c982ddb3b2cc", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:07ecf2df-9872-5818-a42c-b6aab3948f0b", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:3bb067b1-f03a-52a0-ba35-aff191904b5d", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:7f4e9ce2-33fb-5e37-8b1b-98ff70c44cd2", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:2afe19a6-db8a-5e23-ba94-9a974b12970e", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 12.2.0 of @angular/core. not_affected \u2014 The target repository (Angular 12.2.0-tuxcare.2) is NOT AFFECTED by CVE-2026-54264. The AssetGroup class in this version intentionally strips ALL request metadata (including headers) when fetching assets, creating fresh requests with only URLs. This architectural design prevents credential headers from being transmitted to any origin, including on cross-origin redirects. The vulnerable method '..." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:eeeed2a0-76de-5b02-b33d-2983f6ce9759", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 12.2.0 of @angular/core. not_affected \u2014 Angular 12.2.0 uses pre-pipeline Ivy architecture where two-way bindings desugar through the same parsePropertyBinding() path as one-way bindings, automatically applying schema-derived sanitizers. The vulnerability only exists in Angular 14+ with the pipeline architecture that introduced the separate TwoWayProperty operation." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:ee764b8c-6a50-564e-83f5-38266d30e678", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 12.2.0 of @angular/core. not_affected \u2014 Angular 12.2.0-tuxcare.2 is not affected by CVE-2026-54266. The HttpTransferCache feature and its vulnerable hash-based cache key generation mechanism do not exist in this version. The feature was introduced in Angular v16, while the target is version 12.2.0." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:0fc8764a-8cea-5841-9351-35d7d64a4c0f", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }, { "bom-ref": "urn:uuid:714c98c2-373b-5e8e-9564-a229d6e74e3c", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 12.2.0 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/core@12.2.0" } ] }