{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:e28c5f3c-8a50-5956-807c-310cc5d14352",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1",
      "type": "library",
      "name": "@angular/forms",
      "version": "14.2.12-tuxcare.1",
      "purl": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:847c79eb-0dec-5ef2-a482-9a420b9841e8",
      "id": "CVE-2025-66035",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-66035 is fixed in version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:853505fa-a737-50a4-9c47-74aa9ffd30ba",
      "id": "CVE-2025-66412",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-66412 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:29d53166-1ca7-517f-9c54-abec982061a5",
      "id": "CVE-2026-22610",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22610 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:7f455748-e100-56a8-bc44-0450a33eee0e",
      "id": "CVE-2026-27970",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-27970 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:caf466d4-47fb-5f5f-86af-6b85e1bdbf6e",
      "id": "CVE-2026-41423",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-41423 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:67a314d8-617f-507d-b943-25fed313d3b7",
      "id": "CVE-2026-46417",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46417 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:dcdd5c30-8f62-5149-9801-8d3d283bc1ae",
      "id": "CVE-2026-50168",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50168 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:265ad94f-4d06-57bc-bd21-07c8aa70147d",
      "id": "CVE-2026-50169",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50169 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:84a5d39d-751c-5c40-a6d7-e2efb070612c",
      "id": "CVE-2026-50170",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50170 does not affect version 14.2.12-tuxcare.1 of @angular/forms. not_affected \u2014 Angular v14.2.12-tuxcare.1 is not affected by CVE-2026-50170. The HTTP TransferCache feature and client hydration mechanism that contain the vulnerability were introduced in Angular v16+. This version predates that feature introduction and does not have the vulnerable code path."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:78255829-9fb4-57c0-ab9c-9ec68b9b4c7c",
      "id": "CVE-2026-50171",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50171 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:21acb3b2-f5ec-5774-8f7e-1b6deeabda54",
      "id": "CVE-2026-50184",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50184 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d21f9e2e-0ba4-5cb8-9f23-01f74a0c9ae3",
      "id": "CVE-2026-50555",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50555 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5410183d-e283-5aaf-9722-44c8d8da6fcb",
      "id": "CVE-2026-50556",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50556 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5d703206-086f-5fa9-8a79-ee4a9f537f0d",
      "id": "CVE-2026-50557",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50557 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:327bc92e-ae35-544b-a7e1-918316aabb6c",
      "id": "CVE-2026-52725",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-52725 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:440a5721-a059-58c1-9b2b-8c54a263844b",
      "id": "CVE-2026-54264",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54264 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5b976363-8525-57a8-a7d8-5931a3bdfc1e",
      "id": "CVE-2026-54265",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54265 does not affect version 14.2.12-tuxcare.1 of @angular/forms. not_affected \u2014 Angular 14.2.12-tuxcare.1 is not affected by CVE-2026-54265. This version uses the pre-pipeline compiler architecture where two-way bindings are desugared into separate property and event bindings, both of which go through proper sanitization. The vulnerability only exists in Angular 17.3.0+ where the template pipeline with TwoWayProperty IR operation was introduced."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2f6e4454-eb08-5c77-a600-d71bc9d1cd8d",
      "id": "CVE-2026-54266",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54266 does not affect version 14.2.12-tuxcare.1 of @angular/forms. not_affected \u2014 Angular 14.2.12 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. The target has no code path that generates cache keys from HTTP request parameters, and therefore cannot experience cache key collisions."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0d4ec3f7-a18c-5c1d-b834-307307875063",
      "id": "CVE-2026-54267",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54267 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:52450e0b-333a-5732-9a80-97a3b5796f0e",
      "id": "CVE-2026-54268",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54268 affects version 14.2.12-tuxcare.1 of @angular/forms."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40angular/forms@14.2.12-tuxcare.1"
    }
  ]
}