{
  "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.6",
  "serialNumber": "urn:uuid:e3f964ab-cc9d-5445-b29e-5cab88d4b0a2",
  "version": 1,
  "metadata": {
    "tools": [
      {
        "name": "tuxcare-vex-generator",
        "version": "1.0.0"
      }
    ]
  },
  "components": [
    {
      "bom-ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4",
      "type": "library",
      "group": "org.springframework.boot",
      "name": "spring-boot-dependencies",
      "version": "2.3.6.RELEASE-tuxcare.4",
      "purl": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
    }
  ],
  "vulnerabilities": [
    {
      "bom-ref": "urn:uuid:c9892a28-de09-52f2-af3a-6e5f32559733",
      "id": "CVE-2023-20873",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2023-20873 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:a795f03e-a4c0-5e31-8f57-8eee70933078",
      "id": "CVE-2023-20883",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2023-20883 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:2d3c767e-d158-58c8-8700-7d8c58c387ff",
      "id": "CVE-2023-34055",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2023-34055 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f310e8ad-df91-5d6d-8b1d-640375b258c9",
      "id": "CVE-2023-38286",
      "analysis": {
        "state": "false_positive",
        "detail": "Vulnerability CVE-2023-38286 is a false positive for org.springframework.boot:spring-boot-dependencies 2.3.6.RELEASE-tuxcare.4."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:de18a4df-a806-50b8-b447-d0b027c82832",
      "id": "CVE-2024-38807",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2024-38807 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6f4138d6-e725-5552-901a-c4af319af198",
      "id": "CVE-2025-22235",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2025-22235 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:f17721a3-e74e-5fb0-be69-244504db7cf8",
      "id": "CVE-2026-22733",
      "analysis": {
        "state": "resolved",
        "detail": "Vulnerability CVE-2026-22733 is fixed in version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:4f5d17a1-4b68-56b9-8e4f-ded6f2d17f68",
      "id": "CVE-2026-40972",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40972 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:57d1f7eb-df83-5072-8cb9-9355f14b7702",
      "id": "CVE-2026-40973",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40973 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:590ba8aa-99ad-59a5-9305-9d8a9771aee5",
      "id": "CVE-2026-40974",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40974 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:76ca7179-cc08-5600-b41a-53ff4d935ea4",
      "id": "CVE-2026-40975",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40975 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6d160b13-dac1-5537-94d3-3f516de9f5e3",
      "id": "CVE-2026-40977",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-40977 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:6fb83428-92d6-5430-9772-095c9758b407",
      "id": "CVE-2026-40992",
      "analysis": {
        "state": "not_affected",
        "detail": "Vulnerability CVE-2026-40992 does not affect version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies. not_affected \u2014 Spring Boot 2.3.6.RELEASE-tuxcare.4 is not affected by CVE-2026-40992. The vulnerability affects the MailProperties.Ssl auto-configuration feature introduced in Spring Boot 3.4+, which does not exist in version 2.3.6. The target version uses a simpler architecture where mail auto-configuration only passes through user-configured JavaMail properties without actively managing SSL configuration."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    },
    {
      "bom-ref": "urn:uuid:cc4e2842-d4f9-5504-8575-bd7a5a95a94b",
      "id": "CVE-2026-41001",
      "analysis": {
        "state": "exploitable",
        "detail": "Vulnerability CVE-2026-41001 affects version 2.3.6.RELEASE-tuxcare.4 of org.springframework.boot:spring-boot-dependencies."
      },
      "affects": [
        {
          "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
        }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "pkg:maven/org.springframework.boot/spring-boot-dependencies@2.3.6.RELEASE-tuxcare.4"
    }
  ]
}