{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5b09c335-4b1c-5c0e-9232-262ee7a6cf72", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-beans", "version": "5.3.39.tuxcare.4", "purl": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:0065623b-eff8-5864-a9ee-10239e24a89e", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f58b2774-1d83-520e-a8fa-cb22a951dbc0", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-beans. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5c781b16-f605-5996-97da-ccd38f78b489", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:648516c3-9b2e-5415-84ec-7f0a3dbd4433", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:53c43724-d739-568b-b476-dd3e1616da7b", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:69ab0100-18c4-5470-8797-1008a4c5c3ec", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e9e32ad6-afff-5db6-96f7-bb3af8fe4b19", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0d45f024-f360-55fb-b945-9de69cfca1f4", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-beans 5.3.39.tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:aafc05dc-e76a-52c7-b35c-89979183be83", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:80b14417-bc33-564f-b8e7-f53b7a93c1c3", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5c75e410-ff1b-5ffd-b6e7-94a05284ffea", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9706fd10-a783-5f57-83cc-74f87458fbc0", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f90a4556-8ed5-57a6-9fc4-eacb2b89c052", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b950d38e-1f1d-5bab-a8d2-271f9ff04bf0", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9a8e808f-0e05-5d7d-8d7b-a24e7e2bddfd", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:518e1f00-71a7-5072-8d11-fb96ef5bab05", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0ffc5ffe-9973-5672-924a-1481a688ea87", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2aae4ae9-8d5c-5de9-96cd-d7206fd8a842", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d92ad82f-a12a-5804-88b4-2d5eb08cce3c", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-beans. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c1d27dd6-2631-5e69-a67a-14cacf9c0b28", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ad0eab4f-afeb-5fc1-97d8-2aa1e3cb81d9", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c3cb6f5e-d49a-52ce-b88f-51407e939769", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:693d360d-774a-5b74-ad19-ece085ad72a4", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d5f71340-f6c2-54b0-9e52-242948a0de24", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4dbc3688-673c-5a0a-a8b8-99b1baf0729a", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5962a237-5c61-54fc-82e9-c8a97a94fdfe", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:86a6c97a-c332-5676-8585-f623147ed1d8", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:37352f74-649a-5e5b-aa31-02010a98d230", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:73d444a0-c89e-582e-b647-79a7f18e56b1", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:88916a83-788a-54bd-9ca7-e7b8e705b794", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f1e243b0-546a-561d-98a4-507f1ba438b3", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2ed44aec-209c-5064-97be-6f9a2ca70b02", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:090c46c4-111d-53c1-9188-c70676753f9e", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.4 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.4" } ] }