{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:3bccc3f4-119b-5df5-ba3a-09e30c61858c", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1", "type": "library", "name": "@angular/router", "version": "15.2.9-tuxcare.1", "purl": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f87f0a41-f67c-5ce0-94d1-01ea8a15c207", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5ac9923f-ea65-571f-a4c4-7128e482285e", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6906effc-1a72-5834-833f-f757dee61be7", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f3ea0e3c-29e4-5837-a841-d9557d6fb9a4", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8c4abd8f-edaa-5e15-8660-00ab152b260d", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9-tuxcare.1 of @angular/router. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e700ce34-77b1-5025-9b32-f37e3687d09c", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8882d9a6-13e0-5c77-9557-5fcd2fc58930", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:eec025ee-75f3-5917-a999-2b84ea251704", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:00aa6669-c116-518e-ad43-3caa5c131aca", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9-tuxcare.1 of @angular/router. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:49021299-6dc6-5eee-a67a-aff594d7b3dd", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0044614f-b1f2-5687-938b-998ff1efca49", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:85ea1957-2d9c-5806-b7a4-cbcf8e8cceb7", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9b136c0d-27aa-5c9f-8dba-aec55d2c6ef5", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ff9c7225-f5d5-592f-b291-2f0d48477868", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:285eb0a8-5d6d-5be8-bf6e-b635bf31d381", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8e2cb853-ddfb-5f10-910e-4fc744fa720f", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e9518744-480b-54d8-8647-6cfe7b4471c2", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9-tuxcare.1 of @angular/router. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:859d7b19-2654-5890-b87e-69748d8adea5", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9-tuxcare.1 of @angular/router. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a2f101e5-ec43-57b4-b694-0848ff15a908", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ad5c44ba-34ba-53cd-ae07-722297b362de", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9-tuxcare.1 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/router@15.2.9-tuxcare.1" } ] }