{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0f77780e-a442-5641-afeb-a2c7cfce9d8e", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1", "type": "library", "name": "@angular/forms", "version": "8.0.0-tuxcare.1", "purl": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:10de59a6-f08c-5979-bcda-0bedc16b4b79", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:86124aec-9e10-5130-9b68-9ee86bab2e14", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:28972510-77aa-5f05-81e6-a5655e23a486", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ebeaeb75-5317-5518-a9ca-4f23fa4059da", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d39a9f10-4427-5e06-961c-d8c713fdabd6", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f4716777-45ff-5c22-bd19-944bf093b30a", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 8.0.0-tuxcare.1 of @angular/forms. not_affected \u2014 The target Angular 8.0.0 is not affected by CVE-2026-41423. The vulnerability exists only in newer Angular versions (17+) that use the WHATWG URL API. The target uses Node.js url.parse() which does not interpret protocol-relative URLs (//evil.com) as hostname overrides when used without a base URL parameter." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:50cb24b2-49cf-5b17-a9fb-0966f028327c", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a8ef2c12-f74f-500e-ac1d-890210006bf3", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:966a9438-41a8-51a1-9c0d-cb9c7f1bab9b", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9598dcc5-43d3-5db2-8d1a-eb9d7d99f7ee", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 8.0.0-tuxcare.1 of @angular/forms. not_affected \u2014 Angular v8.0.0 is not affected by CVE-2026-50170. The vulnerability requires the HTTP TransferCache feature (automatic caching of HTTP responses during SSR with client hydration), which was introduced in Angular v16+. Version 8.0.0 lacks the vulnerable code path entirely: no transfer_cache.ts, no transferCacheInterceptorFn, no shouldCacheRequest() function, and no automatic HTTP response cachin..." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:77d6051f-521a-52f7-abf3-1878231a0fef", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:480156d1-5d39-52a9-8ffc-1424304ee004", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3babe273-d7b2-509a-8ddc-d7e0a8e3fa1a", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3968e7b4-1eed-5f4d-84a2-2c7d31fd6910", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:33912d3f-d6ea-53d7-bbd9-d88521c841f4", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c3fda07d-2cb5-57ba-a191-7ddd26dd8293", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fb47ebf7-b51c-5e58-adeb-57fad728bc0a", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 8.0.0-tuxcare.1 of @angular/forms. not_affected \u2014 Target version 8.0.0-tuxcare.2 is NOT AFFECTED by CVE-2026-54264. The Service Worker implementation strips ALL request headers (including Authorization, Proxy-Authorization, and Cookie) when reconstructing network requests for asset fetches. This architectural design prevents sensitive headers from being forwarded to any destination, including cross-origin redirect targets." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:73d56f18-3130-525f-b049-82e087810e8d", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 8.0.0-tuxcare.1 of @angular/forms. not_affected \u2014 Angular 8.0.0-tuxcare.2 is NOT affected by CVE-2026-54265. This vulnerability is specific to the Ivy template compiler pipeline introduced in Angular 9+. Angular 8.0.0 uses View Engine, which desugars two-way bindings through the same parsePropertyBinding() code path as one-way bindings, inherently applying schema-derived sanitization. The vulnerable TwoWayProperty operation and resolve_sanitiz..." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b7cc097c-454e-5a0b-baea-08ed72b884a8", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 8.0.0-tuxcare.1 of @angular/forms. not_affected \u2014 Angular 8.0.0 does not contain the vulnerable HttpTransferCache feature. The CVE-2026-54266 vulnerability affects HttpTransferCache, which was introduced in Angular 9+. While this version has the underlying TransferState mechanism, it lacks the automatic HTTP request caching feature with the vulnerable DJB2 hash-based cache key generation." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:18b739df-e857-5acd-bc40-a6a336c6c1f9", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:38929a85-1268-5040-b8e0-825b7da0cdb3", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 8.0.0-tuxcare.1 of @angular/forms." }, "affects": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/forms@8.0.0-tuxcare.1" } ] }