{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:e05571cf-4fdc-529f-8223-0703d3ce57ca", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8", "type": "library", "group": "org.springframework", "name": "spring-beans", "version": "5.3.39-tuxcare.8", "purl": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:aa8bc332-00b1-5880-8ecb-40940db741b6", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:76d1746e-205d-5e82-b88a-677d5206355e", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-beans. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:8129eaa7-339c-53ae-bfdf-e9e09f01fa44", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:3bc54f14-71f5-5185-9bdc-d637420de8b5", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:f1e65db1-4752-50f1-bd0f-b6c000aea755", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:7f697618-d34a-56a2-a441-355ec7cbeb97", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:4ba3bace-a8c5-5624-b40c-d86f781bdd08", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:0206e8a2-d1f8-5364-af6d-d075dd6064cb", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-beans 5.3.39-tuxcare.8." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:51d55091-ed7a-505a-b3d9-32c9f1fff08a", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:ec148b80-0a89-591b-aead-8b89ff39a379", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:c38e7a28-1982-5527-a3ba-e59181039c60", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:d2c8ec1f-f485-51d8-bdb7-46612d24d107", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:bf9f0739-f569-5c78-b120-3c1173ad3f8e", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:ec43d137-7c28-579c-926c-7e7293ba628e", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:61ee645b-89fa-5a6e-9742-d8136e9ad830", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:cb63a9b9-6b4e-5526-af47-156bfa737aa4", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:3fef58f5-d451-51b0-8c99-67c35b100591", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:730b6aab-1f5a-5b22-9cf0-b983e3aec092", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:997bd915-4c4f-5c57-97fc-35087cab8077", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-beans. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:24c186c8-b515-5642-b7f8-b2d60ebb7070", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:883b66c5-24d2-58b7-846d-53d84b1b8757", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:76b1a54d-83df-537a-a425-668d8142fe16", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:50105e07-d26a-573f-9165-7bd5b06ec39d", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:9d65f019-1142-5fb8-befd-4e43d33abc17", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:ed04e886-c8be-53d2-a6ef-40be305a6158", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:13b19e4b-c016-5fd0-9d1d-620f6a414220", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:2b96ea27-f8d4-5f3f-88c1-260fc2045041", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:8808c62e-a232-5933-b22a-704ce791b8af", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:fe136033-d652-55e4-b4f5-3646d1d002ea", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:d5eff8a0-ca0c-5b4e-8c5c-c0eeac75d566", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:c87f2c0c-6f0e-5774-9360-d2ccfbca1507", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:f0d72520-5465-5ce5-be51-e50f0769e6d1", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:f353631c-6537-5c38-a98d-ec3d50c6b5bf", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.8 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.8" } ] }