{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:00da1238-78e4-5478-aaaa-0356d44e20d1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2", "type": "library", "name": "@angular/forms", "version": "11.2.11-tuxcare.2", "purl": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1ab70f02-cf88-5aed-b909-f8d78af06279", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5a00ec7b-810a-59f8-a85b-7d15085e7b6e", "id": "CVE-2025-66412", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66412 is fixed in version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:264d2a2e-7969-5b24-a914-82d448c547b8", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f75a0aca-1bd7-5945-8c3e-1316e6402518", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8ecc3993-5e82-516b-930f-bbb90ebba4f7", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8c11e640-5423-50e4-9577-d03170677af8", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5d6a876d-2154-5523-92ec-a2d86e23d3b1", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5b350472-e739-5c8d-b6fb-e903dc93b65e", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:76b209b9-75c6-578a-9822-5c7861b1b24b", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 11.2.11-tuxcare.2 of @angular/forms. not_affected \u2014 Angular v11.2.11 is NOT AFFECTED by CVE-2026-50170. The vulnerability affects the HTTP transfer cache feature introduced in Angular v16+, which automatically caches HTTP responses during SSR and replays them during client hydration. This feature does not exist in v11.2.11. The target lacks the entire transfer_cache.ts module, withHttpTransferCache API, transferCacheInterceptorFn, and client hyd..." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:58190f04-6b32-58ac-bd08-2fc096f9fa33", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5b0f439e-29fc-5a12-98d0-314f43d0ab8b", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5878ea80-b801-5c27-a305-65560a031e25", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7d6f6b02-f6a2-5f72-a7a3-d3bacedda4f1", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:085d7976-b841-523b-b5c1-3dcf6ca51942", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:362e99d1-e357-594e-a3f0-a6c2a3d408db", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:bf67bb4d-543e-549a-92ac-b2b4bd73e291", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 11.2.11-tuxcare.2 of @angular/forms. not_affected \u2014 Angular 11.2.11-tuxcare.2 is NOT AFFECTED by CVE-2026-54264. The service worker in this version does not forward request headers during asset reconstruction, eliminating the cross-origin credential leak vulnerability. The vulnerable method `newRequestWithMetadata` that copies headers from the original request does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4e8304b0-2659-52ed-8c0c-2ec071c53af6", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 11.2.11-tuxcare.2 of @angular/forms. not_affected \u2014 Angular 11.2.11 is not affected by CVE-2026-54265. The vulnerability targets the new Ivy compiler's TwoWayProperty operation in the template compilation pipeline, which does not exist in Angular 11.2.11. In this version, two-way bindings desugar through the same sanitization-aware parsePropertyBinding code path as one-way bindings, ensuring security-sensitive properties are properly sanitized." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1970e017-2421-58e4-b999-7c457c478ae3", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 11.2.11-tuxcare.2 of @angular/forms. not_affected \u2014 Angular version 11.2.11 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache key generation does not exist in this version. This feature was introduced in Angular v16, and version 11.2.11 predates it entirely." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4cb37887-4550-52bb-9254-37b427deb0f6", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:15afdbd1-0014-544f-a080-a282e89caabc", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 11.2.11-tuxcare.2 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/forms@11.2.11-tuxcare.2" } ] }