{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3dae3cf6-e697-5817-af67-ca2c7145188b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/platform-browser@8.0.0", "type": "library", "name": "@angular/platform-browser", "version": "8.0.0", "purl": "pkg:npm/%40angular/platform-browser@8.0.0" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c385841e-15b3-5719-a39f-467f5dda601b", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:fe0fa25b-ca2a-53b0-97a4-e9bf6fc151a4", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:72d977c8-43bf-5399-b6d4-bb835618efc2", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:0e6d165d-d558-5870-a1f3-7768d87e9059", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 8.0.0 of @angular/platform-browser. not_affected \u2014 The target Angular 8.0.0 is not affected by CVE-2026-41423. The vulnerability exists only in newer Angular versions (17+) that use the WHATWG URL API. The target uses Node.js url.parse() which does not interpret protocol-relative URLs (//evil.com) as hostname overrides when used without a base URL parameter." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:e098d774-c1be-543a-afa7-0dc5488fa249", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:8a61aeb6-8aa0-54db-abef-1666b2b8bc25", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:1c9d4b3c-9e4a-5d9a-b070-28f564ea8536", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:82b3862d-fece-554e-9d65-73f73045938f", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 8.0.0 of @angular/platform-browser. not_affected \u2014 Angular v8.0.0 is not affected by CVE-2026-50170. The vulnerability requires the HTTP TransferCache feature (automatic caching of HTTP responses during SSR with client hydration), which was introduced in Angular v16+. Version 8.0.0 lacks the vulnerable code path entirely: no transfer_cache.ts, no transferCacheInterceptorFn, no shouldCacheRequest() function, and no automatic HTTP response cachin..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:57c6d313-9846-5733-9297-99b5e0770b29", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:9619ba72-608f-5e1c-982c-33de2b48a02e", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:798c6539-829b-5852-ac03-fdafb11576c3", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:16aec954-dcdd-53fd-af4b-9a4921077f75", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:124ee602-c7d5-5fbd-8a1a-c7dbcf9b908b", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:0e41cc87-9e67-5e92-84d0-07294693b485", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:024e7b8f-d78e-51e7-9d26-9d268f4b44af", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 8.0.0 of @angular/platform-browser. not_affected \u2014 Target version 8.0.0-tuxcare.2 is NOT AFFECTED by CVE-2026-54264. The Service Worker implementation strips ALL request headers (including Authorization, Proxy-Authorization, and Cookie) when reconstructing network requests for asset fetches. This architectural design prevents sensitive headers from being forwarded to any destination, including cross-origin redirect targets." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:ae99275a-9301-5314-bd1e-211be9bbd5c8", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 8.0.0 of @angular/platform-browser. not_affected \u2014 Angular 8.0.0-tuxcare.2 is NOT affected by CVE-2026-54265. This vulnerability is specific to the Ivy template compiler pipeline introduced in Angular 9+. Angular 8.0.0 uses View Engine, which desugars two-way bindings through the same parsePropertyBinding() code path as one-way bindings, inherently applying schema-derived sanitization. The vulnerable TwoWayProperty operation and resolve_sanitiz..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:f123ff3d-0c0a-58ca-aac5-247c8d74d06b", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 8.0.0 of @angular/platform-browser. not_affected \u2014 Angular 8.0.0 does not contain the vulnerable HttpTransferCache feature. The CVE-2026-54266 vulnerability affects HttpTransferCache, which was introduced in Angular 9+. While this version has the underlying TransferState mechanism, it lacks the automatic HTTP request caching feature with the vulnerable DJB2 hash-based cache key generation." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:fb1dacce-c4af-533a-93a6-fa04ab205f6f", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }, { "bom-ref": "urn:uuid:cefedddd-fe68-5018-a5b1-06b6d470aba0", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 8.0.0 of @angular/platform-browser." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/platform-browser@8.0.0" } ] }