{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:af8705e3-bfa1-5258-a68d-d1dd2838a3fe", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1", "type": "library", "name": "@angular/router", "version": "11.2.11-tuxcare.1", "purl": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:02d6d7c9-526a-5dfb-915a-22f9c52d43df", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e61c7aae-e357-532b-b96f-f24d47a1800a", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ad432f8d-3558-55be-9ec1-14193509c86c", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:feb3b655-9cfa-5727-9571-e039515d54b8", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f9d6cfdb-4fd8-5610-afdb-f20a53b771ba", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:872ca2f7-db4a-54d4-9526-5718250b37f6", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:17d7eaee-586e-5dd2-8596-e4c31b356a87", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8e121405-1d5c-57c4-b9e2-136937ce1484", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0d35c088-3719-553c-9f6b-e397a5463b83", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 11.2.11-tuxcare.1 of @angular/router. not_affected \u2014 Angular v11.2.11 is NOT AFFECTED by CVE-2026-50170. The vulnerability affects the HTTP transfer cache feature introduced in Angular v16+, which automatically caches HTTP responses during SSR and replays them during client hydration. This feature does not exist in v11.2.11. The target lacks the entire transfer_cache.ts module, withHttpTransferCache API, transferCacheInterceptorFn, and client hyd..." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0435517d-9ba9-5847-9a25-76dce2478c64", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:248c1be1-46e6-59ee-849d-ebe26fdc0b81", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3f8c3650-f1be-57c9-a8e1-ae3deefa458e", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2a86e0cb-06d9-59e3-a15c-2648bab6ec71", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:261287b5-76dc-5041-af79-b7492185f3df", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:67f4d7a3-62bb-55b4-a910-f18f6dd7be5c", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9c367309-6960-5402-9b4a-6d87f2273351", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 11.2.11-tuxcare.1 of @angular/router. not_affected \u2014 Angular 11.2.11-tuxcare.2 is NOT AFFECTED by CVE-2026-54264. The service worker in this version does not forward request headers during asset reconstruction, eliminating the cross-origin credential leak vulnerability. The vulnerable method `newRequestWithMetadata` that copies headers from the original request does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e7801281-e22b-5a49-811f-794346bce299", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 11.2.11-tuxcare.1 of @angular/router. not_affected \u2014 Angular 11.2.11 is not affected by CVE-2026-54265. The vulnerability targets the new Ivy compiler's TwoWayProperty operation in the template compilation pipeline, which does not exist in Angular 11.2.11. In this version, two-way bindings desugar through the same sanitization-aware parsePropertyBinding code path as one-way bindings, ensuring security-sensitive properties are properly sanitized." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1fcac974-2986-5513-bcd7-35d6325f9cef", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 11.2.11-tuxcare.1 of @angular/router. not_affected \u2014 Angular version 11.2.11 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache key generation does not exist in this version. This feature was introduced in Angular v16, and version 11.2.11 predates it entirely." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4e2a167d-6dcd-5287-8b6f-1abfcb4e5a23", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:26b850cf-08b4-511c-b50e-5e395f845dcd", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 11.2.11-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/router@11.2.11-tuxcare.1" } ] }