{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:555a767e-c6a3-509b-80cf-b766202e056d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/platform-server@15.0.3", "type": "library", "name": "@angular/platform-server", "version": "15.0.3", "purl": "pkg:npm/%40angular/platform-server@15.0.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fb085828-ca5e-5689-a81d-bee165655709", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:d5a0a685-c475-5aad-a3bd-8bf9c6114ca4", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:0b7d0e0f-6326-5952-aa48-e7cf2594a6f4", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:3e59bc1b-f599-58e3-851b-54ce6a6e37fa", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:10cbc7b0-23c5-598c-adf4-ba231c93543e", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:f95157a0-2fdd-5147-b6c1-18458dac3e30", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:daf6ba15-ed59-59a7-91fc-1be522fb4934", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:53eea60e-602b-525b-900e-03b4f0fcacfb", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.0.3 of @angular/platform-server. not_affected \u2014 Angular 15.0.3-tuxcare.1 is NOT affected by CVE-2026-50170. The HTTP TransferCache feature that is vulnerable in later Angular versions (v16+) does not exist in this version. The vulnerable code (transfer_cache.ts, hasAuthHeaders(), shouldCacheRequest(), withHttpTransferCache, provideClientHydration) is absent from Angular 15.0.3." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:fc427469-0b39-59e0-8374-d6536f3d7d95", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:d632e9e4-16ea-5735-a0e4-7078ddb430c8", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:f92e35af-86b4-567f-85fe-b9ef7fdbca91", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:fd90c62f-7634-50ce-8ed9-ad1ced10d132", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:9d1559fd-fef2-5e39-b168-5210f9f02aea", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:fef9ce9c-011b-5a34-bcd9-9c300811c347", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:6117ee48-75ef-584d-9ad6-16385f7a049a", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:9bcabca2-ff60-54ba-8506-5df3b32b4424", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.0.3 of @angular/platform-server. not_affected \u2014 Angular 15.0.3 is NOT AFFECTED by CVE-2026-54265. This version uses a different compiler architecture where two-way bindings desugar through the same code path as one-way bindings, both receiving identical security context resolution and sanitizer assignment. The vulnerable code (Ivy template pipeline with separate TwoWayProperty operation type) does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:b5a56380-bec8-5d96-9995-f09694e7ec93", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.0.3 of @angular/platform-server. not_affected \u2014 Angular v15.0.3-tuxcare.1 is NOT affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache keys does not exist in this version. This feature was introduced in Angular v16+. The target has no code path from HTTP request handling to the vulnerability's cache poisoning goal." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:61d8c426-246b-5bb1-92c3-3dfece8a5ccf", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }, { "bom-ref": "urn:uuid:8dd33774-f780-57e5-8eaa-b98139123320", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.0.3 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/platform-server@15.0.3" } ] }