{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:29df362d-4f95-5b7d-8cd6-f674576708f7", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/elements@15.2.9", "type": "library", "name": "@angular/elements", "version": "15.2.9", "purl": "pkg:npm/%40angular/elements@15.2.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:0aec390b-a1d1-5ffa-9549-978744e93638", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:574470c3-8f84-5703-a246-5824be6ecc0e", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:0d4769a1-ab80-5851-a466-0b8232c3850d", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:22ae5bb5-b777-5362-ac3e-59f7bf88cea9", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9 of @angular/elements. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:98347afa-86f3-5e26-a1ef-b4d6712249e6", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:3e6d349a-38cf-50f9-8947-76cc01b2e517", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:f48c2e99-7064-5cf7-84e2-f68faebb1d3c", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:0af4a5c2-dfde-5946-8e8d-22bb80068a52", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9 of @angular/elements. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:ec11f6e6-aa4c-5799-a3e1-666fb3f43421", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:5f3b444f-6ffd-534a-a82b-f1b7825e0a2a", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:bc762612-c3ff-5e14-a989-a61625ba8006", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:9eb77339-d3c1-5763-9de8-d1e848496364", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:bf0595de-7889-5a1c-965e-55580ac792e4", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:4ebef303-31cb-5274-8642-ea3d8a99ee40", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:c4de42e8-b897-58b2-8961-78268c8c1ea7", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:f5bc3737-806d-50a3-a065-c8c0e5184a0d", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9 of @angular/elements. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:906d9d30-b445-5520-a499-7aec5a2603af", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9 of @angular/elements. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:3c41b7ad-abe4-579f-9f92-fda9d076aae1", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }, { "bom-ref": "urn:uuid:5424e7e5-a9e7-5595-b003-0116778567f7", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9 of @angular/elements." }, "affects": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/elements@15.2.9" } ] }