{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:d2e3adcf-274f-531e-9556-42481e1216e2", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1", "type": "library", "name": "@angular/core", "version": "15.0.3-tuxcare.1", "purl": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:cac56074-4f71-5c1d-a871-b64d5f0057f6", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bd052b97-d1f3-5d74-8e08-01f860a9123b", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e449174c-8b2d-57d1-bf16-cecef0bca9fe", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7e208bc2-ddba-5dab-8dfc-598aecbc3874", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:35a2dc90-ae90-55e0-986f-90b5f70bcc92", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:def30ec9-7339-5069-94a1-1bb32a3962bb", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:47803942-bf4d-5f5b-8076-c60aa1a97208", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7c9ea7f2-7987-5998-b7d6-ab06964ad3c5", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4447473f-e1ee-5dbe-8844-dcf06507363c", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.0.3-tuxcare.1 of @angular/core. not_affected \u2014 Angular 15.0.3-tuxcare.1 is NOT affected by CVE-2026-50170. The HTTP TransferCache feature that is vulnerable in later Angular versions (v16+) does not exist in this version. The vulnerable code (transfer_cache.ts, hasAuthHeaders(), shouldCacheRequest(), withHttpTransferCache, provideClientHydration) is absent from Angular 15.0.3." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3bda2bbd-71bc-5784-987e-013bd2f8fb9e", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a9ff2afb-f2a7-583f-8f00-edde68b92cd9", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c9410544-feb5-5007-917f-f65fa768897b", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8afe0a6d-9b5c-5757-9d13-5df891162c41", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:609a9c55-fb77-55a2-b536-b1a65ccb8607", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:87a38c39-74ec-5852-8daf-bc6b26156b49", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b6189827-c39b-5ea2-aa39-72ae52162cba", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:492302c1-05c8-51b5-9d5f-f708a0d7ee2a", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.0.3-tuxcare.1 of @angular/core. not_affected \u2014 Angular 15.0.3 is NOT AFFECTED by CVE-2026-54265. This version uses a different compiler architecture where two-way bindings desugar through the same code path as one-way bindings, both receiving identical security context resolution and sanitizer assignment. The vulnerable code (Ivy template pipeline with separate TwoWayProperty operation type) does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:353f19d0-a93f-5fa8-8a8e-49509d57bbb0", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.0.3-tuxcare.1 of @angular/core. not_affected \u2014 Angular v15.0.3-tuxcare.1 is NOT affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache keys does not exist in this version. This feature was introduced in Angular v16+. The target has no code path from HTTP request handling to the vulnerability's cache poisoning goal." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e0fd0979-7b03-55bd-b3d2-97433fd25195", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e90c590a-c0e5-5fa4-9217-e279ccb77206", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.0.3-tuxcare.1 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/core@15.0.3-tuxcare.1" } ] }