{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:58cd928c-1ce1-5b47-8f3c-41bb58b8a450", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/language-service@13.3.12", "type": "library", "name": "@angular/language-service", "version": "13.3.12", "purl": "pkg:npm/%40angular/language-service@13.3.12" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:3edabf3e-6af7-542a-a8a5-533b80a19408", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:102b7232-a7fb-5d8e-86b0-7f78ac00c823", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:3232058e-1593-517b-b128-57e573ca999b", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:6bcd2e8e-83fb-5473-b393-c1e7b9d51904", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:4eef9c16-745a-5382-9c3b-198cc6945985", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:1045ea48-ed4c-55d9-aaf0-a3e87571d2ea", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:6ae554a1-ec8e-56fc-8e7b-cf8638926ac0", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:0f49459d-e1af-5388-9425-0168994cf0e9", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 13.3.12 of @angular/language-service. not_affected \u2014 Angular v13.3.12 is NOT AFFECTED by CVE-2026-50170. The HttpTransferCache feature that contains the vulnerability was introduced in Angular v16.0.0 (March 2023) and does not exist in this earlier version." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:80df6e38-f345-5b93-bdc9-61e7d845d47c", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:9605bd09-8d57-5175-89c9-d0d93c1bbe91", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:74a765bc-930c-55b8-8ce0-82b492924ba3", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:58a6f46f-7cf1-58b7-9dfc-c8b423d6d0ab", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:26ee9f98-a8f1-5fb1-a0d1-73d5fd86d5eb", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:46ec107d-18b9-534b-a7f6-bc61e0670dc9", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:427795d5-1e04-500d-9f7b-b68067c43577", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 13.3.12 of @angular/language-service. not_affected \u2014 Version 13.3.12 does not have the vulnerable code pattern. The vulnerability exists in versions 20.x+ where the Service Worker's newRequestWithMetadata function preserves request headers but fails to strip sensitive headers on cross-origin redirects. Version 13.3.12 lacks this function entirely and creates fresh requests with URL-only when handling redirects, preventing header leakage." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:199930b5-53dc-5613-a524-a2899526221a", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 13.3.12 of @angular/language-service. not_affected \u2014 Angular v13.3.12-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability is specific to the Ivy template pipeline architecture (TwoWayProperty operation) introduced in Angular v17+. This version uses an older Ivy architecture where two-way bindings desugar through the same sanitized property binding path as one-way bindings, preventing the sanitization bypass." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:4061d3f4-17c4-5b49-afcc-8ca161442d47", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 13.3.12 of @angular/language-service. not_affected \u2014 Angular v13.3.12 is NOT AFFECTED by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache key generation was introduced in Angular v16.0.0-next.7 (March 2023), which is 3+ major versions newer than this target version. Exhaustive code analysis confirms the transfer_cache.ts module, HttpTransferCache class, generateHash function, and all related cache key gener..." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:c679947e-a5f6-5640-a240-cd9c468f1105", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }, { "bom-ref": "urn:uuid:39ad77a8-ebe9-5a89-b76f-346509b390e8", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 13.3.12 of @angular/language-service." }, "affects": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/language-service@13.3.12" } ] }