{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e98688b5-5a06-5308-94a1-157ac98e0ed5", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1", "type": "library", "name": "@angular/upgrade", "version": "15.0.3-tuxcare.1", "purl": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:cb0282d0-e8fd-5870-aa2a-fe07625cf3a2", "id": "CVE-2025-66035", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-66035 is fixed in version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8c52ee4d-4a0a-5127-b88b-1f60ffd89f9a", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:74241f38-478b-5046-a7c3-ad42db0bda05", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d578bcc1-7940-5631-91b3-a7b8e0128956", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2fee8cfb-2b4d-565e-83ff-fe822da3a1ca", "id": "CVE-2026-41423", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41423 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:63ad4a12-ff5a-58cc-9c9d-5195d2cccaef", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:550e3582-0d7d-542f-96c4-e53698844cd6", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d1875f45-f94b-570d-82a9-0c27ed7e54d3", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:52a4b831-b934-5808-a405-92643b43f31a", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.0.3-tuxcare.1 of @angular/upgrade. not_affected \u2014 Angular 15.0.3-tuxcare.1 is NOT affected by CVE-2026-50170. The HTTP TransferCache feature that is vulnerable in later Angular versions (v16+) does not exist in this version. The vulnerable code (transfer_cache.ts, hasAuthHeaders(), shouldCacheRequest(), withHttpTransferCache, provideClientHydration) is absent from Angular 15.0.3." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9896bb08-bff5-5f6e-b982-b34dafb27420", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7c0af62a-fe0a-5eb3-afa4-7a12b667ef5e", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:50aec34c-701a-55ad-bfbc-8d27b5fe655b", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7d7dacfb-f362-57dd-8b9a-96fcf4ae485a", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:56a45d25-2736-5d6e-a57f-fad039e1adea", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8f4557ee-61f6-5262-acf1-2134a8368853", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:75ec5ea6-92b9-54ad-bbca-b51d423fef64", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b5ac2cd9-e505-5aad-a29e-1e64f1e4ee55", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.0.3-tuxcare.1 of @angular/upgrade. not_affected \u2014 Angular 15.0.3 is NOT AFFECTED by CVE-2026-54265. This version uses a different compiler architecture where two-way bindings desugar through the same code path as one-way bindings, both receiving identical security context resolution and sanitizer assignment. The vulnerable code (Ivy template pipeline with separate TwoWayProperty operation type) does not exist in this version." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9b877bf9-56bf-5c3b-a1fb-aa8cacdb47b4", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.0.3-tuxcare.1 of @angular/upgrade. not_affected \u2014 Angular v15.0.3-tuxcare.1 is NOT affected by CVE-2026-54266. The vulnerable HttpTransferCache feature with weak DJB2 hash-based cache keys does not exist in this version. This feature was introduced in Angular v16+. The target has no code path from HTTP request handling to the vulnerability's cache poisoning goal." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2d4de167-2cbf-5805-8c03-bd06baf6fa6c", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:30f5941f-980e-568a-bb89-5736a937459d", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.0.3-tuxcare.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/upgrade@15.0.3-tuxcare.1" } ] }