{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:344e4955-c2d7-56be-aa20-dc1a779f3e46", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1", "type": "library", "name": "@angular/platform-browser", "version": "15.2.6-tuxcare.1", "purl": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ef06074c-afa3-5a62-a07c-a5f308ed26e2", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8a2425e7-640e-5414-a013-6d0a0364f92a", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:75fa799d-ef87-5534-8c9e-c26d234cec30", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fbff2b43-9d97-5cab-a4fa-e38cc47088e9", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:418e657c-a05a-5b09-a393-a4e02b3796ee", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.6-tuxcare.1 of @angular/platform-browser. not_affected \u2014 Target version 15.2.6 is NOT affected by CVE-2026-41423. The target uses Node.js legacy url.parse() API which does NOT interpret protocol-relative URLs (//evil.com) as hostname overrides. The vulnerability only exists when using the WHATWG URL API (new URL()) without input preprocessing, which this version does not use. Testing confirms url.parse('//attacker.com') sets hostname to null (not 'at..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:324033a1-a70d-561a-9a19-728c4e558730", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:dfc650b2-da44-5d28-a645-7efc93868a9b", "id": "CVE-2026-50168", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50168 does not affect version 15.2.6-tuxcare.1 of @angular/platform-browser. not_affected \u2014 CVE-2026-50168 targets a vulnerability in Angular's platform-server allowedHosts validation feature that allows bypassing hostname restrictions via malformed URLs (e.g., evil.com:80:80). The target repository (Angular v15.2.6-tuxcare.1) does not contain the allowedHosts feature (validateAllowedHosts, isHostAllowed functions) that this CVE exploits. Without the allowedHosts validation mechanism,..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9c0e537b-f656-5bb7-97a6-5fc574be171e", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2c305c88-f8a3-5719-85d1-f0a711b1a260", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.6-tuxcare.1 of @angular/platform-browser. not_affected \u2014 Angular version 15.2.6-tuxcare.1 does not contain the HttpTransferCache feature that is the subject of CVE-2026-50170. The vulnerable component (packages/common/http/src/transfer_cache.ts) was introduced in Angular v16.0.0-next.7, after the target version. The vulnerability requires automatic HTTP response caching in TransferState during SSR, which does not exist in v15.2.6." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bab45e4e-8dca-58ca-837f-80c84043fb3f", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8a9ae7c8-6b1f-5273-be6b-096305452829", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2343cf32-f0a8-54b9-b7ff-cb2d3f3ee3af", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d59dcc6f-ae8a-5079-bf72-73b069806da0", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1f580c7b-ad59-55e9-8581-4774405f6cd1", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0914be2c-2e86-5b0e-aa23-f45b981d4ca1", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:955ef3e4-5eac-5db2-91cf-31389b5b9f9f", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4ddede11-3a4c-5b8d-a5e1-79bfdb45c6ff", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.6-tuxcare.1 of @angular/platform-browser. not_affected \u2014 Angular 15.2.6 is not affected by CVE-2026-54265. The vulnerability is specific to the template pipeline architecture introduced in Angular 20+, which does not exist in Angular 15. Angular 15 uses the older render3 compiler that desugars two-way bindings into standard property bindings at parse time, and these property bindings correctly receive sanitizers." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2524d4a7-a3a1-5cab-b67d-e2b2f1a349f2", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.6-tuxcare.1 of @angular/platform-browser. not_affected \u2014 Angular 15.2.6-tuxcare.1 is not affected by CVE-2026-54266 because the HttpTransferCache feature, including the vulnerable weak DJB2 hash function, was not introduced until Angular v16.0.0. The target version predates the introduction of this feature entirely." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0da9da3d-0326-5e8f-91fd-c9e3c8642188", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9bffc001-4153-522c-b6d0-fca1e69ef412", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.6-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.6-tuxcare.1" } ] }