{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:bb98a8eb-09c7-5c19-810d-127aa0435a50", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/create@19.2.25", "type": "library", "name": "@angular/create", "version": "19.2.25", "purl": "pkg:npm/%40angular/create@19.2.25" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ee5e1ba7-4837-5145-8654-dfa1cf59fada", "id": "CVE-2026-27738", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-27738 does not affect version 19.2.25 of @angular/create. already_fixed \u2014 CVE-2026-27738 (Angular SSR Open Redirect) has been fixed in the target repository. The fix was applied in commit 288e22816 (v19.2.21) and subsequently improved in commit 02ce8bf26 (between v19.2.21 and v19.2.25). The current version 19.2.25-tuxcare.1 contains both defense layers: strict input validation for X-Forwarded-Prefix headers and safe URL construction in joinUrlParts()." }, "affects": [ { "ref": "pkg:npm/%40angular/create@19.2.25" } ] }, { "bom-ref": "urn:uuid:da725854-0da1-52ed-a5ec-76571f9e7daf", "id": "CVE-2026-27739", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-27739 does not affect version 19.2.25 of @angular/create. already_fixed \u2014 The target repository (angular-cli version 19.2.25-tuxcare.1) already contains the fix for CVE-2026-27739 (header-based SSRF vulnerability). The fix was applied via commit 2a72d7483 on February 23, 2026, which introduced strict validation for Host, X-Forwarded-Host, X-Forwarded-Proto, and X-Forwarded-Port headers in the Angular SSR request handling pipeline." }, "affects": [ { "ref": "pkg:npm/%40angular/create@19.2.25" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/create@19.2.25" } ] }