{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:ca49955f-4c5b-552c-854d-7eaa710d325b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4", "type": "library", "name": "@angular/upgrade", "version": "19.2.21-tuxcare.4", "purl": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:9dba7162-7852-50c3-bb4a-b7595b1e03bc", "id": "CVE-2026-27970", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-27970 does not affect version 19.2.21-tuxcare.4 of @angular/upgrade. already_fixed \u2014 The target repository (Angular 19.2.21-tuxcare.4) already contains the fix for CVE-2026-27970. The vulnerability (XSS via unsanitized HTML attributes in ICU message translations) has been addressed by TuxCare in prior backports. The defense mechanism in packages/core/src/render3/i18n/i18n_parse.ts lines 829-843 implements the same attribute allowlist validation as the vendor patch, blocking URI..." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:03b7fde8-3c97-58ce-bcfd-50101f92580a", "id": "CVE-2026-46417", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-46417 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1ed3712b-5bbd-5f1a-93d2-be29b6cb9e1d", "id": "CVE-2026-50168", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50168 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3172f3a4-af33-5eb7-ac5e-2f84ab58481d", "id": "CVE-2026-50169", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50169 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a77efd94-d4df-5b18-891d-4247415af524", "id": "CVE-2026-50170", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50170 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4bd15126-c57b-5bbf-bd89-051444920e6a", "id": "CVE-2026-50171", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50171 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:41293ad3-037f-5ce0-a35f-9a7ab689111f", "id": "CVE-2026-50184", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50184 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4ee78dc5-4bc5-5f15-95f1-74bf0f8f2b94", "id": "CVE-2026-50555", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50555 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:153fb06c-ba9e-5017-b1b4-23199d737606", "id": "CVE-2026-50556", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50556 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:46066f83-2643-5d58-9d56-fae9231b53bb", "id": "CVE-2026-50557", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-50557 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:87fa04f4-2b6c-5b42-a411-73c9e7772aac", "id": "CVE-2026-52725", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-52725 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f2ded0e8-0b01-5e8e-9a98-96dcbbae9f57", "id": "CVE-2026-54264", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-54264 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e3353617-bfef-5076-bd6b-9f532c92c6e5", "id": "CVE-2026-54265", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-54265 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e418210b-5db4-5612-ac87-cfc75d7a26ed", "id": "CVE-2026-54266", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-54266 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b094e8d4-607c-5ca6-b8d2-056798df8bb3", "id": "CVE-2026-54267", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-54267 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:81795d37-95fc-5394-bc23-41f102ef084c", "id": "CVE-2026-54268", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-54268 is fixed in version 19.2.21-tuxcare.4 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/upgrade@19.2.21-tuxcare.4" } ] }