{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:24f376e2-6fa1-5cf5-9f26-ba86ad4cdb8e", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/forms@14.2.12", "type": "library", "name": "@angular/forms", "version": "14.2.12", "purl": "pkg:npm/%40angular/forms@14.2.12" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:6e22d50f-0848-5ce6-a105-78ca475eab73", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:afa269a4-071f-5d01-a43c-30e42ec65422", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:da072924-9433-5db2-bed5-1b42e7a09c63", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:39b648a1-d169-5673-b8d6-04db2536dd1e", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:cec5967d-400d-5f86-be56-c795fe610cd6", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:d273b7f0-ef4c-5acd-a1a4-06a97dfc379f", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:900b5ce0-85ca-58fe-a41a-f521bcad0adf", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:fd8562cb-1d22-5285-a6ce-071b8065c1bd", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 14.2.12 of @angular/forms. not_affected \u2014 Angular v14.2.12-tuxcare.1 is not affected by CVE-2026-50170. The HTTP TransferCache feature and client hydration mechanism that contain the vulnerability were introduced in Angular v16+. This version predates that feature introduction and does not have the vulnerable code path." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:938e8dcb-9e5e-5792-bbd1-b5e825ef84f1", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:e9994ad7-0446-51c7-940a-305c1e533312", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:73798cca-5237-527c-b2a6-994eebce7e4f", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:db2ba593-cd48-5049-ad61-f3d7fb685cd8", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:a08a0618-15c6-5a11-9975-d44741eaf20a", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:3eabca7e-996e-5806-b6c7-f7949bc63087", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:0a123b97-763e-5d43-b461-6eb43bca99c0", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:c46834cb-250a-5107-8568-aa48ecef4df7", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 14.2.12 of @angular/forms. not_affected \u2014 Angular 14.2.12-tuxcare.1 is not affected by CVE-2026-54265. This version uses the pre-pipeline compiler architecture where two-way bindings are desugared into separate property and event bindings, both of which go through proper sanitization. The vulnerability only exists in Angular 17.3.0+ where the template pipeline with TwoWayProperty IR operation was introduced." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:5324c918-3e85-5b27-a08f-a73076da2cc0", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 14.2.12 of @angular/forms. not_affected \u2014 Angular 14.2.12 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. The target has no code path that generates cache keys from HTTP request parameters, and therefore cannot experience cache key collisions." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:3e46034d-7f28-5c02-b441-4baa93e6ebfb", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }, { "bom-ref": "urn:uuid:e1ff1501-f6fc-517b-9e6b-583b5bab7ab9", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 14.2.12 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/forms@14.2.12" } ] }