{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:25de7757-9ef4-5c79-a492-2eb120ee77da", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2", "type": "library", "name": "@angular/upgrade", "version": "11.2.11-tuxcare.2", "purl": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fb0da26c-1181-5f52-890c-efa7c00485e6", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:89a73520-e287-5efe-bc10-29fa6b6baf78", "id": "CVE-2025-66412", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66412 is fixed in version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:07c4662b-83bb-51df-83b9-fd0834cb0ab9", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b545a320-2e2e-5733-bb0c-ee33d9183309", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c402bfb5-e463-53a0-9551-4df0e1f146a9", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ce71d33d-b1b9-5ad6-91aa-017cd5865dbf", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2ed543af-36fa-5785-a331-dd4e36e33c24", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1171568d-1b7c-534f-9a12-91da043e7dfa", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:66666fb7-03b5-5378-bd04-6fd7a85f0a71", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 11.2.11-tuxcare.2 of @angular/upgrade. not_affected \u2014 Angular v11.2.11 is NOT AFFECTED by CVE-2026-50170. The vulnerability affects the HTTP transfer cache feature introduced in Angular v16+, which automatically caches HTTP responses during SSR and replays them during client hydration. This feature does not exist in v11.2.11. The target lacks the entire transfer_cache.ts module, withHttpTransferCache API, transferCacheInterceptorFn, and client hyd..." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:cb20aaf7-4750-5e65-8daa-1f7651178c51", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3d661fac-73c8-5eb9-9e89-b081736625fe", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:69b8b420-7876-5aab-9053-18fd7cd8800e", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:065c540d-abcc-568f-a792-34676f407fc1", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8758d929-007d-54c0-a9bf-a1eb637efa89", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5d824445-43f8-5f7c-bbf5-db3fbe9c6bcb", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:72d5a7c7-db2b-5eec-896f-5f20667728e7", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 11.2.11-tuxcare.2 of @angular/upgrade. not_affected \u2014 Angular 11.2.11-tuxcare.2 is NOT AFFECTED by CVE-2026-54264. The service worker in this version does not forward request headers during asset reconstruction, eliminating the cross-origin credential leak vulnerability. The vulnerable method `newRequestWithMetadata` that copies headers from the original request does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0b8f09cf-f5a5-5e2a-8b5d-0fecb49c8884", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 11.2.11-tuxcare.2 of @angular/upgrade. not_affected \u2014 Angular 11.2.11 is not affected by CVE-2026-54265. The vulnerability targets the new Ivy compiler's TwoWayProperty operation in the template compilation pipeline, which does not exist in Angular 11.2.11. In this version, two-way bindings desugar through the same sanitization-aware parsePropertyBinding code path as one-way bindings, ensuring security-sensitive properties are properly sanitized." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:19929fec-a41d-5477-a974-5ee8f9bf8c1a", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 11.2.11-tuxcare.2 of @angular/upgrade. not_affected \u2014 Angular version 11.2.11 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache key generation does not exist in this version. This feature was introduced in Angular v16, and version 11.2.11 predates it entirely." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fdde5e11-d332-5da5-bac4-1914c42f38dc", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:205426e1-8237-52cc-8565-2b29376821de", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 11.2.11-tuxcare.2 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/upgrade@11.2.11-tuxcare.2" } ] }