{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:3696f575-0b59-5e43-bd78-d602a2f7d970",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1",
      "type": "library",
      "name": "@angular/localize",
      "version": "15.2.6-tuxcare.1",
      "purl": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:f408957b-019b-5f91-9bf1-139a0fd18e1e",
      "id": "CVE-2025-66035",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:650ff687-2046-59a9-bc65-484698e7b040",
      "id": "CVE-2025-66412",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-66412 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:152e3c2f-0e15-543c-b82b-d6652a792f16",
      "id": "CVE-2026-22610",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22610 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c2095a3a-c648-51b2-850b-32028b8b8797",
      "id": "CVE-2026-27970",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-27970 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5b2aa5b2-b001-5ebb-a96a-d6e82a1bd741",
      "id": "CVE-2026-41423",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.6-tuxcare.1 of @angular/localize. not_affected \u2014 Target version 15.2.6 is NOT affected by CVE-2026-41423. The target uses Node.js legacy url.parse() API which does NOT interpret protocol-relative URLs (//evil.com) as hostname overrides. The vulnerability only exists when using the WHATWG URL API (new URL()) without input preprocessing, which this version does not use. Testing confirms url.parse('//attacker.com') sets hostname to null (not 'at..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:15e4c48d-f0c6-54f5-b6b7-e5060cedae23",
      "id": "CVE-2026-46417",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46417 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e3c03f4b-95fa-5878-9d5c-aacfa910dbdd",
      "id": "CVE-2026-50168",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50168 does not affect version 15.2.6-tuxcare.1 of @angular/localize. not_affected \u2014 CVE-2026-50168 targets a vulnerability in Angular's platform-server allowedHosts validation feature that allows bypassing hostname restrictions via malformed URLs (e.g., evil.com:80:80). The target repository (Angular v15.2.6-tuxcare.1) does not contain the allowedHosts feature (validateAllowedHosts, isHostAllowed functions) that this CVE exploits. Without the allowedHosts validation mechanism,..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8bb39132-1d01-5ae3-9d65-1462578e63f8",
      "id": "CVE-2026-50169",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50169 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:65256efb-63e1-5b81-87da-c456b6be36e3",
      "id": "CVE-2026-50170",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.6-tuxcare.1 of @angular/localize. not_affected \u2014 Angular version 15.2.6-tuxcare.1 does not contain the HttpTransferCache feature that is the subject of CVE-2026-50170. The vulnerable component (packages/common/http/src/transfer_cache.ts) was introduced in Angular v16.0.0-next.7, after the target version. The vulnerability requires automatic HTTP response caching in TransferState during SSR, which does not exist in v15.2.6."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4583d49a-7a61-5008-9b6c-9a9a565f1ec7",
      "id": "CVE-2026-50171",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50171 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3da163b3-a725-5d4a-bd1d-ac8851772754",
      "id": "CVE-2026-50184",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50184 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:0c87087d-7449-5053-8453-9fd7da296e6a",
      "id": "CVE-2026-50555",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50555 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3d823ab1-3580-5d5f-8198-02c31a76afe7",
      "id": "CVE-2026-50556",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50556 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4d90a675-e593-5eaa-a5b4-8d91f28dd44c",
      "id": "CVE-2026-50557",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50557 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:3587a9a6-dc28-59e7-9edd-91b27237f25a",
      "id": "CVE-2026-52725",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-52725 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cf820646-9119-5632-b9f0-47d59cc3d866",
      "id": "CVE-2026-54264",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54264 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:43d6209a-69fc-50a1-af0a-54ddd839ac5c",
      "id": "CVE-2026-54265",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.6-tuxcare.1 of @angular/localize. not_affected \u2014 Angular 15.2.6 is not affected by CVE-2026-54265. The vulnerability is specific to the template pipeline architecture introduced in Angular 20+, which does not exist in Angular 15. Angular 15 uses the older render3 compiler that desugars two-way bindings into standard property bindings at parse time, and these property bindings correctly receive sanitizers."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8c9a95b5-e2bd-5986-9bf4-1bb95cedf8e8",
      "id": "CVE-2026-54266",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.6-tuxcare.1 of @angular/localize. not_affected \u2014 Angular 15.2.6-tuxcare.1 is not affected by CVE-2026-54266 because the HttpTransferCache feature, including the vulnerable weak DJB2 hash function, was not introduced until Angular v16.0.0. The target version predates the introduction of this feature entirely."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:d6154c9b-eb70-5fd2-9431-8ba4d1e434a8",
      "id": "CVE-2026-54267",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54267 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b71bff85-4cd4-56c6-aa69-1db4ad0e6461",
      "id": "CVE-2026-54268",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54268 affects version 15.2.6-tuxcare.1 of @angular/localize."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40angular/localize@15.2.6-tuxcare.1"
    }
  ]
}