{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:552d122e-2d17-55a1-a7ea-ebb4394728ce", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1", "type": "library", "name": "@angular/upgrade", "version": "11.2.0-tuxcare.1", "purl": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:567d615d-98f3-5d0f-90cb-f0259e4c60ca", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d93b94f9-1875-5af8-a269-58d567ec6983", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b38741af-63d0-505b-b630-92eff6a2ffd5", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bf2b0576-d5f4-53b0-b8be-68f0999deed2", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:903ba98e-1beb-5fc8-a9ef-286be1fa6e3d", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 11.2.0-tuxcare.1 of @angular/upgrade. not_affected \u2014 Target version 11.2.0 uses Node.js url.parse() API which does not perform hostname hijacking with protocol-relative URLs. The SSRF vulnerability (CVE-2026-41423) specifically affects versions using WHATWG URL constructor without the defense. The target's url.parse() produces empty hostname for inputs like '//evil.com', preventing the SSRF exploitation that requires hostname replacement." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3d016af7-adaa-5fbd-bf84-6bffa934b57d", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7fe2ba18-02fe-5622-bc42-598a94588e89", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ce3ab262-aa25-5fe1-9ab4-b8eb8a3cb8ae", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:69cdefcd-6faa-5d82-ada9-12619f977c81", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 11.2.0-tuxcare.1 of @angular/upgrade. not_affected \u2014 Angular 11.2.0 is not affected by CVE-2026-50170. The vulnerability exists in Angular's HTTP transfer cache feature, which automatically caches HTTP responses during server-side rendering (SSR) and reuses them during client hydration. This feature was introduced in Angular v16+ and does not exist in Angular 11.2.0. The target repository lacks the vulnerable code path entirely: no transfer_cache..." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:501d8e96-dcd4-581d-9a0e-5e09388e83c6", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e58e026c-2ffc-52e2-bc12-7736b2e952d8", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ef5b7521-17b4-5b61-a33f-5ab6c3b754c0", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:586a5948-8c68-586c-9d05-f6765ded025c", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3c21af38-3251-5b53-a541-ec132d36efe7", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f385d313-850b-5273-a46e-193cbb217539", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:996639df-9731-50f5-bc3d-2770b6264203", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 11.2.0-tuxcare.1 of @angular/upgrade. not_affected \u2014 Version 11.2.0-tuxcare.2 is NOT affected by CVE-2026-54264. This version lacks the vulnerable code pattern - asset-group requests are reconstructed using URL-only (no headers forwarded), and data-group requests use browser's native fetch which strips sensitive headers per Fetch specification. The vulnerability requires a header-copying mechanism that does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e727ce06-9771-5d4c-a321-b4029da15003", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 11.2.0-tuxcare.1 of @angular/upgrade. not_affected \u2014 Angular v11.2.0-tuxcare.2 is NOT affected by CVE-2026-54265. The vulnerability requires the Ivy template compiler pipeline's TwoWayProperty IR operation introduced in later versions (v20+). This version uses an earlier compiler architecture (View Engine + early Ivy) where two-way property bindings are desugared through the same parsePropertyBinding() path as one-way bindings, applying schema-de..." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a721e32c-30df-5a47-8295-1052dc48647f", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 11.2.0-tuxcare.1 of @angular/upgrade. not_affected \u2014 Angular v11.2.0 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature (introduced in Angular v16+) does not exist in this version. The transfer_cache.ts file and all related APIs (HttpTransferCache, generateHash, makeCacheKey, withHttpTransferCache) are completely absent from the codebase." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7b57b326-56c5-588b-92bc-c1346f579af4", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b946f24d-e8e4-5bdd-a457-99341c6056cb", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 11.2.0-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.0-tuxcare.1" } ] }