{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0675ecfd-39a2-501b-8990-968f714bc525", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1", "type": "library", "name": "@angular/elements", "version": "14.2.8-tuxcare.1", "purl": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1c08acd0-c883-528e-b389-fdaa3e1e42b0", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cef71dd8-01a2-582f-b866-4f2f6b778a66", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5273f1dc-41ad-5628-826c-353c2e1e0f5d", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:704fe577-4c2e-572e-8eef-2079ba6554a5", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:15b58b8b-6a7b-51f5-ba17-fee6a6612080", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 14.2.8-tuxcare.1 of @angular/elements. not_affected \u2014 The target repository (Angular 14.2.8-tuxcare.1) is NOT affected by CVE-2026-41423. While the vulnerability pattern exists in newer Angular versions that use the WHATWG URL constructor, the target uses Node.js's legacy url.parse() API which does not interpret protocol-relative URLs (//evil.com) or backslash-prefixed URLs (/\\evil.com) as hostname overrides. This architectural difference prevents..." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0f6cecfe-2446-5caa-a6df-a6a1d0f52aa9", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:051d947f-f38f-5f8b-b532-6af05f3cd66f", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8e8ae07e-65cf-565f-b547-f90cb7f37673", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f914da8d-5dfd-570c-a693-c47b222f3e91", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 14.2.8-tuxcare.1 of @angular/elements. not_affected \u2014 Angular v14.2.8-tuxcare.1 is not affected by CVE-2026-50170. The HTTP Transfer Cache feature, which is the vulnerable component, does not exist in this version. This feature was introduced in Angular v16+. The target repository lacks the transfer_cache.ts file and all related functionality (provideClientHydration, withHttpTransferCache, transferCacheInterceptorFn, hasAuthHeaders, shouldCacheReq..." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:63b74822-87a7-5ea8-bc6c-c987290fde62", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e2c6882d-45dc-5767-bbe8-4ffa69ff0001", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0825efda-402e-58e9-802a-0b5c2c058207", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f38b61de-e8f6-5f11-b822-b3abbe0b5e5a", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f6c5efa5-46d6-5bd1-8261-6f86491858c5", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:153385e4-8ee1-5812-afb9-96a4fb1c09e4", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:99ba2d12-8aa0-55ac-8c06-eb2a26b0dfef", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4fdb8933-ae2a-5b2a-8885-26e733aa42db", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 14.2.8-tuxcare.1 of @angular/elements. not_affected \u2014 Angular 14.2.8 uses the render3 compiler architecture where two-way bindings are desugared to one-way property bindings before sanitization logic runs, automatically inheriting the same sanitizers. The upstream vulnerability is specific to the template pipeline architecture with TwoWayProperty operations, which does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9e31cb4b-dba6-54eb-a185-a1187ea5cdca", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 14.2.8-tuxcare.1 of @angular/elements. not_affected \u2014 Angular 14.2.8 is not affected by CVE-2026-54266. The HttpTransferCache feature containing the vulnerable weak hash function was introduced in Angular 16+, and does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9ab810c7-0d2a-5415-a1ad-4b1f747640b8", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f2614d98-0787-5f4b-9c1d-bcd48923be8e", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 14.2.8-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/elements@14.2.8-tuxcare.1" } ] }