{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:6dc2c391-7a34-55c8-b820-fc7db1678f84", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/platform-server@13.3.0", "type": "library", "name": "@angular/platform-server", "version": "13.3.0", "purl": "pkg:npm/%40angular/platform-server@13.3.0" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:0d3d1fb7-4d39-58ad-a2f1-10c3b1479acd", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:a52b4ca2-50e5-50b6-8480-a93ca17738f4", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:6f011aa5-8758-5798-be95-aa2a565bc7e7", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:2983ea6a-07b6-5c14-b612-1cffef794d50", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 13.3.0 of @angular/platform-server. not_affected \u2014 The target repository (Angular 13.3.0-tuxcare.1) is NOT AFFECTED by CVE-2026-41423. While the target lacks the explicit sanitization that the upstream patch adds, it uses a fundamentally different URL parsing mechanism (Node's url.parse() without base URL) that does not extract hostnames from protocol-relative URLs. The architectural difference prevents the SSRF attack vector from succeeding." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:298b99c5-ebe4-571f-bab1-5e77983c9d09", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:5fd1f548-9496-551a-bf2f-80568e4605f8", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:e613f2ac-9c0d-5be5-9ea4-569736704d6b", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:035c4750-1c88-5d26-86a0-03f452d97e67", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 13.3.0 of @angular/platform-server. not_affected \u2014 Angular v13.3.0 is not affected by CVE-2026-50170. The vulnerable component (HttpTransferCache) does not exist in this version. The HttpTransferCache feature and automatic HTTP response caching during SSR were introduced in Angular v16+, while this target is v13.3.0-tuxcare.1." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:63b8a522-1318-5266-8b05-42a8712a178f", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:37ceb702-0959-5681-aceb-0d997af1adb0", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:a7377bce-9612-5236-960e-f930e900c296", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:3c4fa0dc-b4e6-50ed-8bcd-d9178becb955", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:09a5c7c1-3f14-59e9-b0e9-01c8762a02f1", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:99ffdf88-1245-56f0-88c5-7491c5c235b8", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:ff7f49d7-4c5a-5b88-9d33-990593962323", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 13.3.0 of @angular/platform-server. not_affected \u2014 Angular 13.3.0 is not affected by CVE-2026-54264. The vulnerable method newRequestWithMetadata() does not exist in this version. The AssetGroup class creates new requests with only URLs when fetching assets, never preserving headers. On cross-origin redirects, the code creates a completely new request with no headers, preventing sensitive credential leakage." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:95893f14-7fce-5b5d-be12-1f487bfcd680", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 13.3.0 of @angular/platform-server. not_affected \u2014 Angular 13.3.0 is not affected by CVE-2026-54265. The vulnerability is specific to Angular's template/pipeline architecture (introduced in v14+) where TwoWayProperty operations bypass sanitizer resolution. Angular 13.3.0 uses an earlier Ivy architecture without the template/pipeline system, where two-way bindings desugar through the same parsePropertyBinding() function as one-way bindings, rece..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:f95679c0-bcdb-5c56-a782-15df8fe383b5", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 13.3.0 of @angular/platform-server. not_affected \u2014 Angular 13.3.0 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache key generation does not exist in this version. HttpTransferCache was introduced in Angular v16+, and version 13.3.0 predates this feature." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:57fdf38a-45b7-5ba0-89d7-5fb5c889c6d4", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }, { "bom-ref": "urn:uuid:447048bb-11e2-5af1-aae2-f51937a52b26", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 13.3.0 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/platform-server@13.3.0" } ] }