{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:b3121510-b90a-506c-a79c-810a80d084d8", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1", "type": "library", "name": "@angular/platform-server", "version": "7.2.11-tuxcare.1", "purl": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:02b35cc1-2c6f-5edb-8b5d-560c6f02a62a", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e620bdd5-d09d-59b7-afd0-e6fbc11b6b8b", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:75d5384a-ae2f-534f-93d8-e66691f02fc8", "id": "CVE-2025-66412", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66412 is fixed in version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3c300b5c-f32d-5824-b67e-452cdda603e6", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:85b05011-b40d-5409-bcf7-b81df4ed1930", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:908c3f44-70b0-5412-bb26-18d2731e3c65", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bc4c84fb-b5a5-5ef9-b970-07140b08b880", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c97fc322-0216-57ed-862e-a77783fc302b", "id": "CVE-2026-50168", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50168 does not affect version 7.2.11-tuxcare.1 of @angular/platform-server. not_affected \u2014 CVE-2026-50168 addresses vulnerabilities in the WHATWG URL-based parseUrl implementation and allowedHosts validation feature introduced in Angular's CVE-2026-41423 fix. The target (v7.2.11) uses a completely different architecture with Node.js legacy url.parse() and does not have the allowedHosts feature. The specific vulnerable code patterns that CVE-2026-50168 patches do not exist in this ver..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:093be4a1-cede-5963-a61b-87b1e3421a70", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:85e1d002-4248-5535-8062-6a52647c643b", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 7.2.11-tuxcare.1 of @angular/platform-server. not_affected \u2014 Angular v7.2.11 is not affected by CVE-2026-50170. The HTTP Transfer Cache feature that is vulnerable does not exist in this version. The feature was introduced in Angular v16+, and v7.2.11 lacks the transfer_cache.ts module, withHttpTransferCache provider, and provideClientHydration functionality entirely." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fc921ce7-c319-560f-a4da-d83deb235a44", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:60d27a7e-1133-5ca5-b08a-656a985559f6", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bed29203-bf50-5c62-9f9c-8c93ee3e4588", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:94595035-39ff-57ba-a3f7-6ef8250fe59d", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c59ee7db-b59d-5e17-92cb-b75f8cfc5ca9", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:257cd060-dcf2-5568-b1db-0e52f97660b9", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:00230686-bd3c-541f-81c0-3555c8d33765", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 7.2.11-tuxcare.1 of @angular/platform-server. not_affected \u2014 Angular 7.2.11-tuxcare.2 is not affected by CVE-2026-54264. The vulnerability concerns sensitive header leakage on cross-origin redirects in the request metadata preservation feature. This version predates that feature entirely - it strips ALL request headers when making network requests for assets, as evidenced by code comments and the absence of the newRequestWithMetadata method introduced in..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:85f7928e-c383-5f7d-bacc-4888f9730b6d", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 7.2.11-tuxcare.1 of @angular/platform-server. not_affected \u2014 Angular 7.2.11-tuxcare.2 uses View Engine compiler architecture, not Ivy. The vulnerability (CVE-2026-54265) is specific to Ivy's template compiler pipeline where TwoWayProperty operations were missing from the sanitizer resolution switch. View Engine does not have TwoWayProperty operations; two-way bindings desugar early in the template parser to the same parsePropertyBinding() code path as on..." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fe2c78ca-09b0-5c87-b084-13dd5f946cf5", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 7.2.11-tuxcare.1 of @angular/platform-server. not_affected \u2014 Angular 7.2.11-tuxcare.2 is not affected by CVE-2026-54266. The HttpTransferCache feature that contains the weak hash vulnerability does not exist in this version - it was introduced in Angular 16." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:477f97d0-ee1c-5794-b484-4be428312433", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f33832e9-274d-5141-91f7-c4179e4f3fc3", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 7.2.11-tuxcare.1 of @angular/platform-server." }, "affects": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/platform-server@7.2.11-tuxcare.1" } ] }