{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3cd0de4f-00de-584e-96ec-9eafa1462c72", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9", "type": "library", "name": "@angular/platform-browser-dynamic", "version": "15.2.9", "purl": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:278c8bc3-6616-556c-b2a6-4b2c35dc7bdd", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:26e68c71-c785-5fdc-98be-aba72826d340", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:0d8feac2-9ade-5f41-888f-ecaec99fb52d", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:08093b59-1eac-5b3b-a9ab-3cceea9869d9", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9 of @angular/platform-browser-dynamic. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:bbf392d5-708b-52d0-81f9-4aaba5cd1549", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:35c40805-de8a-5062-b134-61223378c659", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:743f9bdf-96c2-5457-882e-fe056d9adf19", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:2f3653d6-0e0d-5d06-b4b0-07227c2fdb81", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9 of @angular/platform-browser-dynamic. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:4c88e467-1759-5b3b-aa31-bdcde3b886ee", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:122a80fb-f177-5ab8-a6a2-78b5ae6cd04d", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:8510ac63-1c32-5008-857d-c9148cc6148b", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:52594fc6-3e53-5329-bd1d-23e0d0c2eb7d", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:38e28bc1-d869-5c51-8e98-7f6dc8de00df", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:0997d3ff-cd65-542f-b444-60e6223fdda8", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:27948809-482d-521c-89a1-5b78c7321745", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:0fddd76e-063d-511a-bf50-c942b4f6be1f", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9 of @angular/platform-browser-dynamic. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:7e88cf2a-8bd9-58fe-97ff-13625b70de61", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9 of @angular/platform-browser-dynamic. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:ab1e38e2-41a7-584b-87c3-a72042cd9f2a", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }, { "bom-ref": "urn:uuid:ed9c92f9-902d-5b4b-a5f4-5d8bcf7fb948", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9 of @angular/platform-browser-dynamic." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/platform-browser-dynamic@15.2.9" } ] }