{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e60d4c92-e19a-5704-b8f4-de813498516a", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/elements@12.2.16", "type": "library", "name": "@angular/elements", "version": "12.2.16", "purl": "pkg:npm/%40angular/elements@12.2.16" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1f2c39bc-0623-5094-8284-12e0fe9dda42", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:f18687e3-6dff-55ed-813c-c31d3a5cf10e", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:3ffccce1-c8ee-574a-8ab5-d0bedd21e7b1", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:317abcd5-1d19-57c0-962d-262c855c4f52", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:20e882f4-eb91-5dcd-aed6-7aff9bb88c79", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:6c42dc16-d033-512c-87f1-c83cdd1a2b60", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:7b1a9693-7510-541a-85ed-21adf6edde7d", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 12.2.16 of @angular/elements. not_affected \u2014 Angular v12.2.16-tuxcare.2 is NOT affected by CVE-2026-50170. The vulnerability concerns the HttpTransferCache feature that caches credentialed HTTP responses during server-side rendering (SSR) and replays them during client hydration. This feature was introduced in Angular v16 and does not exist in v12.2.16. The target repository lacks the transfer_cache.ts file, HttpTransferCache class, trans..." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:d0c7371d-ea1c-5e66-b1b7-881c7388794b", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:f02d4d7e-186f-5fce-b210-9aea0abc8752", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:951692b5-bfc2-5d86-8008-29e6ac367778", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:21cb1b69-ca32-5a87-8e30-c6f3a9571661", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:80d162ff-52a6-5b4e-b3ee-3d689b87ead7", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:80fb0212-449c-57ae-aa68-6d1f2b655988", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:e12eec6a-b655-5181-920c-a0d5f297a511", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 12.2.16 of @angular/elements. not_affected \u2014 Angular 12.2.16-tuxcare.2 is NOT affected by CVE-2026-54264. The vulnerable code pattern does not exist in this version. The service worker creates fresh requests using only the redirect URL without copying any headers from the original request, preventing credential leakage to third-party origins on cross-origin redirects." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:0028e3a3-07b8-569f-a750-fcd2d6d56995", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 12.2.16 of @angular/elements. not_affected \u2014 Angular 12.2.16 is not affected by CVE-2026-54265. The vulnerability exists in Angular's modern template pipeline compiler architecture (introduced in Angular 16+) where TwoWayProperty IR operations bypassed sanitizer resolution. Angular 12.2.16 uses the older architecture where two-way bindings are desugared into separate property and event bindings, and the property binding inherently goes th..." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:b8c904cb-fe3a-5ef2-8abb-17f9206e9e31", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 12.2.16 of @angular/elements. not_affected \u2014 Angular 12.2.16-tuxcare.2 does not contain the vulnerable HttpTransferCache feature. The feature was introduced in Angular 16.0.0 (March 31, 2023), several major versions after this release. Without HttpTransferCache, the attack chain from HTTP request properties to hash-based cache key generation to cache poisoning cannot occur." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:bca9abae-828d-58aa-9c23-fcada6ff7ce8", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }, { "bom-ref": "urn:uuid:3227c3d9-4313-5739-8f80-a71da5b1dced", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 12.2.16 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/elements@12.2.16" } ] }