{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:4195d4fe-2318-51b8-9960-b0574426113e", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1", "type": "library", "name": "@angular/platform-browser", "version": "15.2.9-tuxcare.1", "purl": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:53a8bf1e-1215-5869-b8d9-26e9fcaab8d1", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1b4b52d1-8d75-54b8-8d64-e16b7554fe61", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5f752abb-0376-5a36-9dbc-6312befe8eea", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a56e75b7-0819-5243-9898-88c4431d9204", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0c52762c-e082-5423-9361-bfa00874cbde", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9-tuxcare.1 of @angular/platform-browser. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bb6fc238-6cd8-58a4-b458-34d60384dd65", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:10f14894-79fc-5663-a7a9-de4bb6cf13ab", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:377d17eb-e44c-5621-8c12-e11e83f57c7c", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c08e4265-3250-50fb-8ab3-b6910f8a73f0", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9-tuxcare.1 of @angular/platform-browser. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:18660339-535e-5893-9db5-20dbcd1e9161", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:adc0fe84-293f-59ac-90a9-5ad912f62a0a", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e1e409a0-6588-53ba-a649-e40861459e39", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6b326b83-c451-5fc1-b706-b2ae08f05863", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:eecc981d-76df-546c-96de-1261c4f49f7b", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:51227fb1-4538-51c1-b14b-34aed90de617", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b74252c4-9263-508c-9341-309f38753e36", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ae23eb9d-f15e-549c-b14d-dcab812e7c40", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9-tuxcare.1 of @angular/platform-browser. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4f7349f4-fb7a-5f1f-93f8-554661b6aa37", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9-tuxcare.1 of @angular/platform-browser. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b6199e1e-64a3-5515-b781-fd850bb651bb", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:467081c9-983d-5a8d-aab3-05cc5faa2d29", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9-tuxcare.1 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/platform-browser@15.2.9-tuxcare.1" } ] }