{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0ef6abeb-c634-5be3-8a80-06e5e4ea9c3f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/upgrade@15.2.9", "type": "library", "name": "@angular/upgrade", "version": "15.2.9", "purl": "pkg:npm/%40angular/upgrade@15.2.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:85e91a80-2345-5acd-9506-ad462ffac3e9", "id": "CVE-2025-66412", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-66412 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:ddfe1ee6-3609-5955-a22b-78b6c80117c7", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:f99b74c3-1467-55a0-8fa6-29f517c448c7", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:682f1c9b-c0be-5791-aa10-74c37051b193", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 15.2.9 of @angular/upgrade. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-41423. The SSRF vulnerability via protocol-relative URLs was introduced in Angular 17.0.0 when the codebase switched from Node.js url.parse to WHATWG URL API. Angular 15.2.9 still uses the legacy Node.js url.parse which treats protocol-relative URLs ('//evil.com') as pathnames, not hostname overrides, preventing the SSRF attack vector." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:bf7b1249-47de-5f2e-a024-58d20586cb0f", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:174db81c-2c38-560a-adfc-175b4631908b", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:85764c34-5268-5ca0-ab08-4534640d9a27", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:96586a06-cef4-5edc-91f9-5d81ccc48bb1", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 15.2.9 of @angular/upgrade. not_affected \u2014 no evidence captured" }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:37ae464d-0c94-583f-8bc6-69da85e74f0e", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:6912c43e-8b30-56c2-89bc-1d9251497712", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:8a44a449-4918-573a-9710-08d5415051d0", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:5b85bbef-a224-5e13-98e6-f547abf0ac08", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:9ed8d0a6-9051-5b8d-81b7-c6f015c364b7", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:66fae710-2400-54a1-a64b-32f5f62be8ef", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:35d7c41c-173b-543f-bd10-e4c55d290084", "id": "CVE-2026-54264", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54264 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:dfa2c406-8f4b-578a-9f16-6d5191d01f80", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 15.2.9 of @angular/upgrade. not_affected \u2014 Angular 15.2.9-tuxcare.1 is not affected by CVE-2026-54265. The vulnerability requires the new Ivy compiler 'pipeline' architecture with the TwoWayProperty IR operation, which was introduced in Angular 16+. Angular 15.2.9 uses the older compiler architecture where two-way bindings are desugared into separate property and event bindings, causing them to automatically receive the same sanitizatio..." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:f4debc85-7876-50f4-b293-1d9fd4f39947", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 15.2.9 of @angular/upgrade. not_affected \u2014 Angular 15.2.9 is not affected by CVE-2026-54266. The vulnerable HttpTransferCache feature does not exist in this version - it was introduced in Angular v16+. Without this feature, there is no code that hashes HTTP request properties for cache key generation, so the hash collision vulnerability cannot manifest." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:f0b0a48d-6f4e-593e-a14d-ed0218e8d135", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }, { "bom-ref": "urn:uuid:d55b1b68-446f-5a89-9597-0ef1a4e24e9a", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 15.2.9 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/upgrade@15.2.9" } ] }