{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:fe8a9973-48ee-548d-b952-32f7d4f8ba87", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/core@15.2.9", "type": "library", "name": "@angular/core", "version": "15.2.9", "purl": "pkg:npm/%40angular/core@15.2.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:940c4c78-aa86-59f0-b093-2ba839503898", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:24dd7632-b75a-59c3-9dfc-a173b98a96d2", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:e3b97e56-3374-5bab-8b0d-9f21ace3a104", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:3979512d-2044-5a4f-a61d-f4cff2aa6f30", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9 of @angular/core. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:b68ad068-70f3-53e3-981a-a3b2418c7312", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:36eaef21-4b79-5d24-8c67-6b8fa353333c", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:4fa7e9bc-b9e7-5378-b264-859f1ef30fd2", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:83888496-f94e-57d1-8503-ac6dccd2efb5", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9 of @angular/core. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:f5584646-8497-543f-bda9-c2516a4d0fdd", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:6b5c7767-7a36-5ce6-bf06-40f5e4e2c8af", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:df084cb4-5e81-51e5-8c2a-994df4a24e66", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:22e96676-c516-5b4c-a948-2137a0e30a05", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:5d62e1d9-6c93-5439-b5c7-5f28560ad6cc", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:d73bf5d3-31bb-501f-9813-a5c16778b098", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:ccc2fd7a-cade-5b48-a07d-859bdd59dadc", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:567c38f7-07c3-5766-a3c0-aaa43c775208", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9 of @angular/core. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:4a6b77f4-840a-5b74-a2d8-e3bce5055e44", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9 of @angular/core. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:04121495-5388-53bf-ae59-5f079c965882", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }, { "bom-ref": "urn:uuid:683199c1-986e-52fa-80a2-dbfaad36eb08", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9 of @angular/core." }, "affects": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/core@15.2.9" } ] }