{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:d4da7ed4-0160-5bfb-905c-80936b7b64e6", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:npm/%40angular/upgrade@8.0.0", "type": "library", "name": "@angular/upgrade", "version": "8.0.0", "purl": "pkg:npm/%40angular/upgrade@8.0.0" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c5dae0ef-1b8b-5b3a-aa79-1ec58beef6f3", "id": "CVE-2021-4231", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-4231 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:0659ab5a-d007-572a-849e-41bfbf288aa9", "id": "CVE-2026-22610", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22610 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:6ed2c6ca-4117-516a-8953-8e3da27dceb6", "id": "CVE-2026-27970", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-27970 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:bc87b489-f773-5624-987d-bc449e200e24", "id": "CVE-2026-41423", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41423 does not affect version 8.0.0 of @angular/upgrade. not_affected \u2014 The target Angular 8.0.0 is not affected by CVE-2026-41423. The vulnerability exists only in newer Angular versions (17+) that use the WHATWG URL API. The target uses Node.js url.parse() which does not interpret protocol-relative URLs (//evil.com) as hostname overrides when used without a base URL parameter." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:946387af-8fb0-586e-81ae-d07459cdb014", "id": "CVE-2026-46417", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-46417 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:8dedc331-87e0-5c5d-8107-556e18fe5099", "id": "CVE-2026-50168", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50168 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:df496095-5c07-5b43-b04e-24421df2090d", "id": "CVE-2026-50169", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50169 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:221d6cab-1ce5-511d-aff7-32fa6a939155", "id": "CVE-2026-50170", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-50170 does not affect version 8.0.0 of @angular/upgrade. not_affected \u2014 Angular v8.0.0 is not affected by CVE-2026-50170. The vulnerability requires the HTTP TransferCache feature (automatic caching of HTTP responses during SSR with client hydration), which was introduced in Angular v16+. Version 8.0.0 lacks the vulnerable code path entirely: no transfer_cache.ts, no transferCacheInterceptorFn, no shouldCacheRequest() function, and no automatic HTTP response cachin..." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:806d3d5a-2ff5-5ba8-8990-304e0efb0290", "id": "CVE-2026-50171", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50171 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:493c7d22-65fe-5ce0-a87f-5b8b76f9cc7c", "id": "CVE-2026-50184", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50184 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:a3329205-e2ad-5389-8d1b-3454960b191f", "id": "CVE-2026-50555", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50555 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:f378269e-b969-518e-9e6c-5317fd35b0ac", "id": "CVE-2026-50556", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50556 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:c343f925-9a88-5fcf-9ceb-38fd98a95c0d", "id": "CVE-2026-50557", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-50557 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:16a3c617-44ba-537a-99ce-0a06a6cd806a", "id": "CVE-2026-52725", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-52725 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:d462f7db-edad-5166-99e2-799013d4fb3d", "id": "CVE-2026-54264", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54264 does not affect version 8.0.0 of @angular/upgrade. not_affected \u2014 Target version 8.0.0-tuxcare.2 is NOT AFFECTED by CVE-2026-54264. The Service Worker implementation strips ALL request headers (including Authorization, Proxy-Authorization, and Cookie) when reconstructing network requests for asset fetches. This architectural design prevents sensitive headers from being forwarded to any destination, including cross-origin redirect targets." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:dabaf2f3-e94c-5b8b-9bb2-0644ae5a34be", "id": "CVE-2026-54265", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54265 does not affect version 8.0.0 of @angular/upgrade. not_affected \u2014 Angular 8.0.0-tuxcare.2 is NOT affected by CVE-2026-54265. This vulnerability is specific to the Ivy template compiler pipeline introduced in Angular 9+. Angular 8.0.0 uses View Engine, which desugars two-way bindings through the same parsePropertyBinding() code path as one-way bindings, inherently applying schema-derived sanitization. The vulnerable TwoWayProperty operation and resolve_sanitiz..." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:7832846a-545e-5c20-b1f3-f54c4032361d", "id": "CVE-2026-54266", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-54266 does not affect version 8.0.0 of @angular/upgrade. not_affected \u2014 Angular 8.0.0 does not contain the vulnerable HttpTransferCache feature. The CVE-2026-54266 vulnerability affects HttpTransferCache, which was introduced in Angular 9+. While this version has the underlying TransferState mechanism, it lacks the automatic HTTP request caching feature with the vulnerable DJB2 hash-based cache key generation." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:dea989f3-0633-5245-bb13-da605f625222", "id": "CVE-2026-54267", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54267 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }, { "bom-ref": "urn:uuid:9ea714f6-ecbc-5b00-9d76-800ee6e5bf90", "id": "CVE-2026-54268", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-54268 affects version 8.0.0 of @angular/upgrade." }, "affects": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] } ], "dependencies": [ { "ref": "pkg:npm/%40angular/upgrade@8.0.0" } ] }