{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e904deb4-bf21-5e91-8a50-ae44b9c018b2", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/router@15.2.9", "type": "library", "name": "@angular/router", "version": "15.2.9", "purl": "pkg:npm/%40angular/router@15.2.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:dcd62d72-3934-5401-954a-8bce0c83d3e7", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:193affd9-2fb6-571f-94d9-faeaf600d89c", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:68c4d5f9-96ff-5a94-b7b6-8c4320b77c6e", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:690bf083-f0aa-5e9b-ad96-a50846bc6df3", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9 of @angular/router. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:ee780e98-7081-5575-bc7d-e674d065076b", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:6e9538ef-bfab-5cf5-b09a-86c8cdf2067d", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:6c176a4c-bd6e-552e-81b4-c5c8edbed975", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:5970a3ec-0b07-5ba8-b895-b052a3bf6548", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9 of @angular/router. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:3ea25c58-348e-513c-a309-eb294c429564", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:0d9ecfbc-005d-57bd-8cef-43cd1f567df5", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:3595d06c-cc79-506a-b3b2-a90743a6510c", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:0a99b7d9-3023-5c61-b9ae-32f2f9415bf8", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:4465fcd9-10ec-51cf-9d80-8ad1b6070969", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:08b430cb-3bbd-523d-9fde-3153821dc408", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:2b623f42-5c53-5c64-82d3-8c33d5e8895e", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:9962e5df-a848-5c27-9745-42f08e3c0cd9", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9 of @angular/router. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:7e7d94a0-7b3b-5674-8298-78702616b52b", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9 of @angular/router. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:b1aea139-2602-5b4d-96eb-6d84e715a7a0", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }, { "bom-ref": "urn:uuid:4619a70d-a726-5006-b77a-30f5fea4b658", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9 of @angular/router." }, "affects": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/router@15.2.9" } ] }