{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a4f33ce9-f6d6-5339-8ee6-77f3c035c061", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1", "type": "library", "name": "@angular/language-service", "version": "11.2.11-tuxcare.1", "purl": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:30eceb13-81cb-534a-abac-a3cd55196a52", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:78ce9d06-ce57-5e4d-bbbc-e9d5127578d1", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8c5a5b0d-60a7-581a-a2d4-eac1e02415e9", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3d0829f4-6c79-5fa3-92af-2052c424c9fd", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:00bd3134-685c-54c9-94fb-671d123427d4", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6201c810-4cb4-584d-8814-cbc5b1d26018", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:26f5f50e-3762-54fe-9504-2e1463b16a3f", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:aacb68b2-6346-576c-834e-c376742d5a58", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:97ddafcf-4e17-5bea-b40e-33c68ea84342", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 11.2.11-tuxcare.1 of @angular/language-service. not_affected \u2014 Angular v11.2.11 is NOT AFFECTED by CVE-2026-50170. The vulnerability affects the HTTP transfer cache feature introduced in Angular v16+, which automatically caches HTTP responses during SSR and replays them during client hydration. This feature does not exist in v11.2.11. The target lacks the entire transfer_cache.ts module, withHttpTransferCache API, transferCacheInterceptorFn, and client hyd..." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:064f0d55-f3d4-5920-bf4f-2b08d1a391eb", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:95dced36-b305-5563-a998-7d6e1f056e0c", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:79010617-814a-592b-b5fb-36d7732b99e3", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ff8fb14b-3162-5830-b45c-d283ec9cd5b6", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:88634cd6-ea65-5246-9fdd-96a4cd1f1f54", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:98d062be-123d-54a5-9797-5aa8b8457ab3", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bf44b3b0-7e15-5f7c-b576-d19f14c0bcaf", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 11.2.11-tuxcare.1 of @angular/language-service. not_affected \u2014 Angular 11.2.11-tuxcare.2 is NOT AFFECTED by CVE-2026-54264. The service worker in this version does not forward request headers during asset reconstruction, eliminating the cross-origin credential leak vulnerability. The vulnerable method `newRequestWithMetadata` that copies headers from the original request does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:83457621-5617-5858-8c9b-e31135507b64", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 11.2.11-tuxcare.1 of @angular/language-service. not_affected \u2014 Angular 11.2.11 is not affected by CVE-2026-54265. The vulnerability targets the new Ivy compiler's TwoWayProperty operation in the template compilation pipeline, which does not exist in Angular 11.2.11. In this version, two-way bindings desugar through the same sanitization-aware parsePropertyBinding code path as one-way bindings, ensuring security-sensitive properties are properly sanitized." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:73b7b025-7c47-58dc-9356-a4962d523510", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 11.2.11-tuxcare.1 of @angular/language-service. not_affected \u2014 Angular version 11.2.11 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache key generation does not exist in this version. This feature was introduced in Angular v16, and version 11.2.11 predates it entirely." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:add98f4f-b073-5bb6-a4b2-ef21072c4c3d", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a2e946ab-a259-50c8-88f8-fff3dc2c88a6", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 11.2.11-tuxcare.1 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/language-service@11.2.11-tuxcare.1" } ] }