{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:c099aeec-5ecf-53be-8bdc-c9e4e8854657",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40angular/language-service@15.2.9",
      "type": "library",
      "name": "@angular/language-service",
      "version": "15.2.9",
      "purl": "pkg:npm/%40angular/language-service@15.2.9"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:3afa6e0c-cccb-50d6-8d78-2222590e84cc",
      "id": "CVE-2025-66412",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1ad3d878-4bc1-510a-b7d2-b43dff99a214",
      "id": "CVE-2026-22610",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c3fda873-519c-5695-b6aa-c0fa07f23100",
      "id": "CVE-2026-27970",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:81017427-ed42-5af7-a72d-156ed9d7fbc2",
      "id": "CVE-2026-41423",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9 of @angular/language-service. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:dc2adeca-e1a1-5122-8311-d6f6a21ad52d",
      "id": "CVE-2026-46417",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e5cb5ad9-9a69-506e-97b7-d27927bdb674",
      "id": "CVE-2026-50168",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:789039d5-aa22-5e07-8dba-152c024a8b7b",
      "id": "CVE-2026-50169",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1bf628b5-9a19-5bb4-a612-3665383a2412",
      "id": "CVE-2026-50170",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9 of @angular/language-service. not_affected \u2014 no evidence captured"
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0ea803f6-5b19-5087-a3f4-c52b930b989c",
      "id": "CVE-2026-50171",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:af99e020-f70c-5c74-85ca-b099a2f87b77",
      "id": "CVE-2026-50184",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3c67d1f2-40c5-5046-9bbb-1c7540e28467",
      "id": "CVE-2026-50555",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:87f3830f-3c5b-5aa2-b949-be579c79d4fa",
      "id": "CVE-2026-50556",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e69ad4bd-41aa-5162-9b32-311a04053527",
      "id": "CVE-2026-50557",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:11e2a3ac-3785-54e2-bc65-0b54f1ac421a",
      "id": "CVE-2026-52725",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:feb0b31a-2f3a-5de4-b6da-990224302cbd",
      "id": "CVE-2026-54264",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:eebee629-e2b0-53b8-89f4-8b08b0749925",
      "id": "CVE-2026-54265",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9 of @angular/language-service. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:84ba2853-ed9c-5eaf-a5f9-8e3b730a1d4b",
      "id": "CVE-2026-54266",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9 of @angular/language-service. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8f190a00-627a-5b7b-9b1b-a9a6816b54fb",
      "id": "CVE-2026-54267",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6df67b11-b171-56df-bd8e-05185de30d94",
      "id": "CVE-2026-54268",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9 of @angular/language-service."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/language-service@15.2.9"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40angular/language-service@15.2.9"
    }
  ]
}