{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3bf04f5a-d7d7-5731-8552-51ee6a67593e", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1", "type": "library", "name": "@angular/forms", "version": "15.2.9-tuxcare.1", "purl": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:33b360ef-1242-5eb2-9a94-b16e2df57677", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:eb20c19b-f0f9-59f2-94a4-85b8730bf396", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3c2c1469-339f-5cf6-9d72-7f06c8d68851", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:926bbbcc-d04d-5e9e-af6b-f713fb65f30a", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d22b4cc0-ba07-52a6-97d8-712b0cd0a8b7", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9-tuxcare.1 of @angular/forms. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:db648c9d-5918-5b39-8ce5-38da269884aa", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:61d9817a-52a8-533e-b71f-6d19885900fe", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5e222eb1-5417-53f1-bc24-f8bb8423b99a", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b4dc9132-088d-52de-a366-75d00989a396", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9-tuxcare.1 of @angular/forms. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:62ec858b-11e9-5d5f-95b1-b4808b11a97a", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fcbf4d41-8dac-55f0-b9ba-e53010979c7b", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a4fe66d7-e1a6-52d7-817d-dc3e910e2dba", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:89511fc9-9cdc-58b7-b1c8-58b80ccfbe32", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f2c2fbaf-074a-5c9d-9f19-6840a2f3efc4", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:06aa1273-42d7-5ee3-be55-5b64a8644b94", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:703f9688-7f51-585c-b60c-bbeb506260a8", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:50ca5afa-0164-5d63-aea5-5757b042a6e4", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9-tuxcare.1 of @angular/forms. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:eead88ad-abcb-5408-896b-2199f7ed48f8", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9-tuxcare.1 of @angular/forms. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:39eec17a-f79d-5a72-ad66-2f1ca13b68b6", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7a6d3d15-9ab5-5987-b9d5-405d6a685a8b", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/forms@15.2.9-tuxcare.1" } ] }