{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:38bd70cf-ae8b-58a4-9dae-a407e5cf8f8b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/core@14.2.12", "type": "library", "name": "@angular/core", "version": "14.2.12", "purl": "pkg:npm/%40angular/core@14.2.12" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a1bee89b-cd1e-5cad-91e7-e7169998c8b7", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:a6b64206-8116-56fc-a3f3-0e33f641a0d5", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:e1a21fc2-ae2c-5062-8236-abc726bd8dec", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:1842fb44-7cbf-574c-b050-98b6bee8e11e", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:8f3247fc-7ef0-57d8-a89e-cd47f352981e", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:67f6b940-2af2-5a91-9b42-b08ce3b6f786", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:b9e419a0-c306-5570-a6d1-67c6c49a61ab", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:4c8f4470-06f2-5b4c-93a0-95d3cddcc4eb", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 14.2.12 of @angular/core. not_affected \u2014 Angular v14.2.12-tuxcare.1 is not affected by CVE-2026-50170. The HTTP TransferCache feature and client hydration mechanism that contain the vulnerability were introduced in Angular v16+. This version predates that feature introduction and does not have the vulnerable code path." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:240a3730-a30f-50f1-88fa-072b607a2d59", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:383e2bf5-1869-536b-8f8f-027a10d2c00b", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:34c0d25b-f09e-5e03-baa1-591c4515adf9", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:04c30d8e-ec83-5c9a-84ef-55a71fdd029d", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:39068a7d-3571-5181-9ef1-d976bc270f8d", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:d340e4a2-ae58-5b58-9aa9-aa3ebedcfbce", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:e244702b-9c57-5e05-be55-b2c9086557ae", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:9215b5ac-ff69-5f67-8c52-0efcb26a974e", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 14.2.12 of @angular/core. not_affected \u2014 Angular 14.2.12-tuxcare.1 is not affected by CVE-2026-54265. This version uses the pre-pipeline compiler architecture where two-way bindings are desugared into separate property and event bindings, both of which go through proper sanitization. The vulnerability only exists in Angular 17.3.0+ where the template pipeline with TwoWayProperty IR operation was introduced." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:f5c24722-fd46-5f3e-9217-b2a1331b42e9", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 14.2.12 of @angular/core. not_affected \u2014 Angular 14.2.12 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. The target has no code path that generates cache keys from HTTP request parameters, and therefore cannot experience cache key collisions." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:b566900f-7165-5376-80ac-4dd9436d6dd8", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }, { "bom-ref": "urn:uuid:ab1e33af-71d0-5003-a93a-9af2782640d6", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 14.2.12 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/core@14.2.12" } ] }