{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:faab89e3-f2e6-56fb-89e9-2df3424632a7", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1", "type": "library", "name": "@angular/localize", "version": "14.2.12-tuxcare.1", "purl": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:985fa605-8951-58a2-bfd1-d3c0d9e2a8e8", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:13324e52-aee5-52b4-ab85-02c97acc9bca", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:51fbc1d3-3fbe-5f9c-91f7-1e1d7e58a0c3", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:95a3597c-dad8-5bb4-aaa9-e4ab5d2ccb31", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a43982bf-755e-5399-9b7e-e1b5dfdf8443", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1f76ec91-f50b-5588-99ad-12bf7479bc93", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ae828b4a-4037-5dcc-9cbc-926135bdbe33", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3c3effb6-03b8-5e0c-88e3-1d54e714ccdd", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6dc21c55-9999-53ea-bbd3-6270c3c2286f", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 14.2.12-tuxcare.1 of @angular/localize. not_affected \u2014 Angular v14.2.12-tuxcare.1 is not affected by CVE-2026-50170. The HTTP TransferCache feature and client hydration mechanism that contain the vulnerability were introduced in Angular v16+. This version predates that feature introduction and does not have the vulnerable code path." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8d36d165-ada4-5fe7-b7fe-222976461912", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1ee1a1af-7d28-58ea-b942-d8e8c3c04ff0", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:16fe41d6-32c8-52b6-9250-e401a6eafb99", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d6c9c265-afe5-559d-8242-354d6ec2b7ac", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7e5e2a1c-4994-5297-86ef-d00f7eedad30", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3d8d94ba-f374-58c6-9f9b-4e70ba6af88d", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fc4abf48-a5a0-5ade-805d-62d07dec2294", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2ac3d266-14d3-5dfe-9708-b4a7c8dca22b", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 14.2.12-tuxcare.1 of @angular/localize. not_affected \u2014 Angular 14.2.12-tuxcare.1 is not affected by CVE-2026-54265. This version uses the pre-pipeline compiler architecture where two-way bindings are desugared into separate property and event bindings, both of which go through proper sanitization. The vulnerability only exists in Angular 17.3.0+ where the template pipeline with TwoWayProperty IR operation was introduced." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4a68f8a4-97ba-5dc7-8b2c-c31c402843e9", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 14.2.12-tuxcare.1 of @angular/localize. not_affected \u2014 Angular 14.2.12 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. The target has no code path that generates cache keys from HTTP request parameters, and therefore cannot experience cache key collisions." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7d1ed28f-f695-5bdb-bb32-123c52f45f7b", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ca229d90-63f7-546e-8d51-08ac8d2a2c58", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 14.2.12-tuxcare.1 of @angular/localize." }, "affects": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/localize@14.2.12-tuxcare.1" } ] }