{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:5bdd32a8-7ae8-5506-ba17-776fac8f4c2b",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1",
      "type": "library",
      "name": "@angular/router",
      "version": "11.2.0-tuxcare.1",
      "purl": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:6bd71672-9016-52b4-ac81-c0134c44469c",
      "id": "CVE-2025-66035",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2025-66035 is fixed in version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c0878ccd-06f3-547b-aa26-77b86b150d69",
      "id": "CVE-2025-66412",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-66412 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:c74be124-b5de-5e97-8fb9-e5f36b359dc6",
      "id": "CVE-2026-22610",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-22610 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5d3fd96d-de76-5677-bdc6-c1854cad6ab4",
      "id": "CVE-2026-27970",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-27970 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e111f4ee-ad1d-5c90-9c07-ad050bc0ae9f",
      "id": "CVE-2026-41423",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-41423 does not affect version 11.2.0-tuxcare.1 of @angular/router. not_affected \u2014 Target version 11.2.0 uses Node.js url.parse() API which does not perform hostname hijacking with protocol-relative URLs. The SSRF vulnerability (CVE-2026-41423) specifically affects versions using WHATWG URL constructor without the defense. The target's url.parse() produces empty hostname for inputs like '//evil.com', preventing the SSRF exploitation that requires hostname replacement."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:1070501f-6680-50fb-a676-e5aee0fdb562",
      "id": "CVE-2026-46417",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-46417 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:52dd09a5-77b6-5c69-a08d-56dfb52b0df7",
      "id": "CVE-2026-50168",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50168 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8a9aa4b6-895e-5493-991b-80b7100e0802",
      "id": "CVE-2026-50169",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50169 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:530e51b2-7e11-5056-9e30-b435d1b3486e",
      "id": "CVE-2026-50170",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-50170 does not affect version 11.2.0-tuxcare.1 of @angular/router. not_affected \u2014 Angular 11.2.0 is not affected by CVE-2026-50170. The vulnerability exists in Angular's HTTP transfer cache feature, which automatically caches HTTP responses during server-side rendering (SSR) and reuses them during client hydration. This feature was introduced in Angular v16+ and does not exist in Angular 11.2.0. The target repository lacks the vulnerable code path entirely: no transfer_cache..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:8b94b424-5f9d-5061-91a2-a482ab453799",
      "id": "CVE-2026-50171",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50171 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a83981d6-f409-5875-b8d2-70b3079df46f",
      "id": "CVE-2026-50184",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50184 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:e70222e4-56a0-5498-b2d1-f6f51d93c2bd",
      "id": "CVE-2026-50555",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50555 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:5dbd211d-7c00-506b-88a8-ab2d5e5f0912",
      "id": "CVE-2026-50556",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50556 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cbfc9ea0-2d19-51b0-8476-c7a116b8cca9",
      "id": "CVE-2026-50557",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-50557 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:b8091bf5-7343-5983-96ef-019df1624289",
      "id": "CVE-2026-52725",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-52725 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:509dce62-91ea-5c80-a2eb-48f5f2157017",
      "id": "CVE-2026-54264",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54264 does not affect version 11.2.0-tuxcare.1 of @angular/router. not_affected \u2014 Version 11.2.0-tuxcare.2 is NOT affected by CVE-2026-54264. This version lacks the vulnerable code pattern - asset-group requests are reconstructed using URL-only (no headers forwarded), and data-group requests use browser's native fetch which strips sensitive headers per Fetch specification. The vulnerability requires a header-copying mechanism that does not exist in this version."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:612fe6a3-ae18-54c3-84ad-37c75a5fd917",
      "id": "CVE-2026-54265",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54265 does not affect version 11.2.0-tuxcare.1 of @angular/router. not_affected \u2014 Angular v11.2.0-tuxcare.2 is NOT affected by CVE-2026-54265. The vulnerability requires the Ivy template compiler pipeline's TwoWayProperty IR operation introduced in later versions (v20+). This version uses an earlier compiler architecture (View Engine + early Ivy) where two-way property bindings are desugared through the same parsePropertyBinding() path as one-way bindings, applying schema-de..."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:22e28427-a846-5e73-9668-f29c8271bdcd",
      "id": "CVE-2026-54266",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-54266 does not affect version 11.2.0-tuxcare.1 of @angular/router. not_affected \u2014 Angular v11.2.0 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature (introduced in Angular v16+) does not exist in this version. The transfer_cache.ts file and all related APIs (HttpTransferCache, generateHash, makeCacheKey, withHttpTransferCache) are completely absent from the codebase."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:760750f2-b213-5169-b7f8-2194e1db2aa8",
      "id": "CVE-2026-54267",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54267 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:9e2fe352-3e79-5d30-884c-972ab893dba0",
      "id": "CVE-2026-54268",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-54268 affects version 11.2.0-tuxcare.1 of @angular/router."
      },
      "affects": [
        {
          "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:npm/%40angular/router@11.2.0-tuxcare.1"
    }
  ]
}