{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0e5f40c1-75f4-5036-9a09-febe0af96507", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/upgrade@6.0.1", "type": "library", "name": "@angular/upgrade", "version": "6.0.1", "purl": "pkg:npm/%40angular/upgrade@6.0.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:cf28e624-0199-5739-adc5-3033512c027e", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:612671ff-88fc-5713-b91e-54f378515909", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:e8c088f2-bc9f-5391-968a-de06668fc4d3", "id": "CVE-2026-27970", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-27970 does not affect version 6.0.1 of @angular/upgrade. not_affected \u2014 Angular 6.0.1 is not affected by CVE-2026-27970. This vulnerability is specific to Ivy/render3's runtime ICU message parsing, which does not exist in Angular 6.0.1. Angular 6.0.1 uses View Engine by default, where ICU messages are processed at compile time rather than runtime, eliminating the vulnerable code path." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:f4e8cacd-18d5-522a-83e6-c88cf62677c5", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 6.0.1 of @angular/upgrade. not_affected \u2014 Target repository (Angular 6.0.1-tuxcare.3) is not affected by CVE-2026-41423. The vulnerability requires the WHATWG URL API's protocol-relative URL behavior to override the base hostname. The target uses Node.js legacy url.parse() API which does not exhibit this behavior and does not extract, store, or use hostname information." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:0c26bb25-b4f2-5727-9666-8d00c6e2b046", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:efd6e41d-a12d-5a79-9649-ff78ce9f8b3b", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:97dc2cc3-e4db-58e1-aa18-c6caf51c00e5", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:1fb47ab0-db78-540c-bb9f-13a3f9433518", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 6.0.1 of @angular/upgrade. not_affected \u2014 Angular v6.0.1 is NOT affected by CVE-2026-50170. The HTTP TransferCache feature that enables caching of credentialed responses does not exist in this version. This feature was introduced in Angular v16+, whereas the target is running v6.0.1 (10 major versions earlier). The vulnerable code path (transfer_cache.ts, withHttpTransferCache, hasAuthHeaders) is completely absent." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:75207102-3243-5d6e-8407-57afed6eb124", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:e837d702-425a-50cc-9a31-79022efec409", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:98d1532a-e780-5162-8301-b3f32fadeb9b", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:a97ce7b9-81aa-508e-ba99-13a264e219d5", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:87e00c9c-770d-51da-9ca5-b03a289eb4db", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:f9aed276-05b5-538d-965a-f887fe06031e", "id": "CVE-2026-52725", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-52725 does not affect version 6.0.1 of @angular/upgrade. not_affected \u2014 Angular v6.0.1-tuxcare.3 is not affected by CVE-2026-52725 in its supported configuration. The vulnerability requires the public createComponent({hostElement}) API introduced in Angular v14+, which does not exist in this version. The default View Engine renderer does not use the vulnerable locateHostElement code path." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:6661dd80-1eff-5249-8146-4c4ebee4264c", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 6.0.1 of @angular/upgrade. not_affected \u2014 Angular version 6.0.1-tuxcare.3 is NOT affected by CVE-2026-54264. The service worker's AssetGroup explicitly drops all request headers before fetching assets, preventing any credentials from being sent to any server (cross-origin or otherwise). The vulnerability pattern requires header preservation across redirects, but this version never preserves headers in the first place." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:50f6b24d-266a-54c3-926a-324795de679e", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 6.0.1 of @angular/upgrade. not_affected \u2014 Angular 6.0.1-tuxcare.3 uses View Engine, not Ivy. The vulnerability (CVE-2026-54265) is specific to Ivy's TwoWayProperty operation in the template pipeline, which does not exist in View Engine. Two-way bindings in View Engine are processed through the same parsePropertyBinding() code path as one-way bindings and receive identical schema-derived sanitization." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:16637d63-1b5e-51ca-a672-6d92850e2d09", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 6.0.1 of @angular/upgrade. not_affected \u2014 Angular 6.0.1 does not contain the HttpTransferCache feature that is affected by CVE-2026-54266. The vulnerability requires HttpTransferCache to process HTTP requests and generate cache keys using a weak DJB2 hash, but this entire feature does not exist in Angular 6.0.1. The feature was introduced in later Angular versions (likely v12+). While TransferState exists as a generic state transfer me..." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:35776b3f-63b2-53ed-a826-a7ae586f9016", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }, { "bom-ref": "urn:uuid:c11dca2f-5db8-5aa8-b2aa-742dfd0df13b", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 6.0.1 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/upgrade@6.0.1" } ] }