{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:2db28049-8b25-5b2b-a4d1-17f96f67af82", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/http@7.2.11", "type": "library", "name": "@angular/http", "version": "7.2.11", "purl": "pkg:npm/%40angular/http@7.2.11" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f5fea23c-37fd-54a5-9327-5e056dc23d5c", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:51f235f4-86d1-5c98-a5dc-0b27be9053fc", "id": "CVE-2025-66412", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66412 is fixed in version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:5b8af463-4167-5392-b25f-f183a9fb2027", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:1fd7e20a-030a-50cf-a180-5562e0fdbb38", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:c1a735a1-8e50-5546-af45-4d168dcdde11", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:bbc1b5ee-6b1f-574e-879f-ebbdc93acde8", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:ce6da5b0-fb67-53a6-8254-54da0c70f114", "id": "CVE-2026-50168", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50168 does not affect version 7.2.11 of @angular/http. not_affected \u2014 CVE-2026-50168 addresses vulnerabilities in the WHATWG URL-based parseUrl implementation and allowedHosts validation feature introduced in Angular's CVE-2026-41423 fix. The target (v7.2.11) uses a completely different architecture with Node.js legacy url.parse() and does not have the allowedHosts feature. The specific vulnerable code patterns that CVE-2026-50168 patches do not exist in this ver..." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:775bae6d-b682-5993-abf8-82dcbc332a62", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:dbb98b33-14da-5fae-a9a8-65700e781a40", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 7.2.11 of @angular/http. not_affected \u2014 Angular v7.2.11 is not affected by CVE-2026-50170. The HTTP Transfer Cache feature that is vulnerable does not exist in this version. The feature was introduced in Angular v16+, and v7.2.11 lacks the transfer_cache.ts module, withHttpTransferCache provider, and provideClientHydration functionality entirely." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:fccc9191-32da-52ec-8a0e-b61bcab3b1b1", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:6b6b7d80-b360-5063-b4da-ee14a9705308", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:27ab7c2d-cf0d-5f34-9696-4b729d4a5a1a", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:f71b5ae7-511d-5a6d-92bc-2cd48ca9109c", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:18a5a173-b113-53b5-8bfe-f02312a10e32", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:939cc56a-8630-56c2-87a3-d88e355cd3ce", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:18c2e66d-9437-59be-80e1-7c4e447fb9cd", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 7.2.11 of @angular/http. not_affected \u2014 Angular 7.2.11-tuxcare.2 is not affected by CVE-2026-54264. The vulnerability concerns sensitive header leakage on cross-origin redirects in the request metadata preservation feature. This version predates that feature entirely - it strips ALL request headers when making network requests for assets, as evidenced by code comments and the absence of the newRequestWithMetadata method introduced in..." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:d11ab431-20db-523e-a278-89653f27b51d", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 7.2.11 of @angular/http. not_affected \u2014 Angular 7.2.11-tuxcare.2 uses View Engine compiler architecture, not Ivy. The vulnerability (CVE-2026-54265) is specific to Ivy's template compiler pipeline where TwoWayProperty operations were missing from the sanitizer resolution switch. View Engine does not have TwoWayProperty operations; two-way bindings desugar early in the template parser to the same parsePropertyBinding() code path as on..." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:bc29081e-474d-5642-86a6-a96ba127b7ba", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 7.2.11 of @angular/http. not_affected \u2014 Angular 7.2.11-tuxcare.2 is not affected by CVE-2026-54266. The HttpTransferCache feature that contains the weak hash vulnerability does not exist in this version - it was introduced in Angular 16." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:b8e80fa0-a4ea-570f-acdf-a383d6e572d2", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }, { "bom-ref": "urn:uuid:ab1ffca8-c47f-587b-a112-9549974b8715", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 7.2.11 of @angular/http." }, "affects": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/http@7.2.11" } ] }