{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5b3f010c-5389-52a1-ae2d-076f5e10eec8", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1", "type": "library", "name": "@angular/elements", "version": "15.2.9-tuxcare.1", "purl": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:9f1640be-abd8-5827-839a-7e1068ae69de", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c1d229d9-eeb9-51cf-8482-75a6c91e9cb0", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0e4e6c44-0f43-5df3-85ee-18ddfbacb5b6", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:28ffcf8f-0fb5-5026-b2c6-035b517eea62", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:97cf7f36-1b5a-5abc-a66e-be03be5ccd5a", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9-tuxcare.1 of @angular/elements. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d013af4e-761b-5d08-b963-ee296910e2b7", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fd551b24-82d6-5475-b9d4-ee04985e91db", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:925ba7e6-022d-58c6-8f99-fc2ae061e943", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f5bf77df-851a-52db-849f-c52f6f37bbde", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9-tuxcare.1 of @angular/elements. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e9268395-6bbc-5b7d-a188-0da82af75f3a", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8855493c-17ef-515b-8bfe-ffb8905f8013", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:15830a59-7dd2-56e8-8a29-b9e0ffd4f3d3", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e2ea3389-c96f-5933-9aea-43e82bbdc542", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a245060c-0296-59d7-a3f8-7308ad25bb72", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:db8bddf6-cf93-5a37-83c1-fafbe8df7f87", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:69397824-c893-5588-af29-3c9601379f62", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2b473b22-f25a-5e81-87d1-c25a579f12d8", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9-tuxcare.1 of @angular/elements. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5c6a675c-cf37-53c7-9440-e1e958407066", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9-tuxcare.1 of @angular/elements. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8419ac8e-f281-5a05-9c27-c0721c55191f", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:57bdddf4-478d-5d79-b999-fbf96de3767d", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9-tuxcare.1 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/elements@15.2.9-tuxcare.1" } ] }