{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:38b0fcfa-b0d0-5726-8b44-1f5e0260dfe1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/platform-browser@13.3.12", "type": "library", "name": "@angular/platform-browser", "version": "13.3.12", "purl": "pkg:npm/%40angular/platform-browser@13.3.12" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:857b0ac3-048a-5342-9210-da893d68efbb", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:22a3f32d-590e-536f-89f5-c8c8acc89cd0", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:344d052f-ebb8-53d0-8b2d-016cf80e401e", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:758db853-61eb-5715-acf3-5a08a2cd2cfb", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:71c8ac7a-cb1a-5235-8a85-72f551f619e4", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:899c7edf-2415-500f-bf95-553d2b7df3bf", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:daa9bd82-cca0-5013-888c-02db40a31ad8", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:43620352-e7f2-5268-ac3b-3045db390e92", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 13.3.12 of @angular/platform-browser. not_affected \u2014 Angular v13.3.12 is NOT AFFECTED by CVE-2026-50170. The HttpTransferCache feature that contains the vulnerability was introduced in Angular v16.0.0 (March 2023) and does not exist in this earlier version." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:4b07bcb5-9b9b-56aa-93ae-099b3be0de72", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:01e40e25-b15c-5abd-af49-5f7269f44b47", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:7a8d230e-664d-5b86-8fd1-6ffe3b7dd20c", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:ab7f3757-678d-5538-bacc-9c4ced2bd826", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:68e11178-bf86-52b3-87ec-f0679829c1f0", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:7cd876f7-73e7-52f8-9d8a-59d76c41d150", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:eea89c93-d889-53a9-ba6c-2cf402b6b9f0", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 13.3.12 of @angular/platform-browser. not_affected \u2014 Version 13.3.12 does not have the vulnerable code pattern. The vulnerability exists in versions 20.x+ where the Service Worker's newRequestWithMetadata function preserves request headers but fails to strip sensitive headers on cross-origin redirects. Version 13.3.12 lacks this function entirely and creates fresh requests with URL-only when handling redirects, preventing header leakage." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:f6e64d1e-fc5c-590c-8d0a-31bdd70f55c0", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 13.3.12 of @angular/platform-browser. not_affected \u2014 Angular v13.3.12-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability is specific to the Ivy template pipeline architecture (TwoWayProperty operation) introduced in Angular v17+. This version uses an older Ivy architecture where two-way bindings desugar through the same sanitized property binding path as one-way bindings, preventing the sanitization bypass." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:1ea20afe-247c-5212-a544-dc26b66be4cb", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 13.3.12 of @angular/platform-browser. not_affected \u2014 Angular v13.3.12 is NOT AFFECTED by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache key generation was introduced in Angular v16.0.0-next.7 (March 2023), which is 3+ major versions newer than this target version. Exhaustive code analysis confirms the transfer_cache.ts module, HttpTransferCache class, generateHash function, and all related cache key gener..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:ab690e97-fdf8-560e-a6f5-79d44ba8f3db", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }, { "bom-ref": "urn:uuid:c2e1b048-24dd-5efe-ab64-d50bbc501526", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 13.3.12 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/platform-browser@13.3.12" } ] }