{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:eece4ae1-483e-5368-9c67-8368a4c8595f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-beans", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:999783d7-427a-5dce-aaee-31214da180af", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:74d7b646-1c43-50bd-8e87-6eaf2acfb7f2", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-beans. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3d7b8628-513b-5771-b5e4-dace3872b4b8", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5120f71d-a26f-5c32-b2cc-b5627ad14eb0", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1d63d270-62c7-545a-b369-4a098c895ccc", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:844ac5af-6c5c-5897-8a19-af8ccb56f673", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f59ac230-9123-5d54-b64e-ec76fab1965d", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:73d19c92-8713-501d-b40b-eab5f31a504b", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-beans 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:33ce8f8f-0c75-5470-8abf-1e67094018b5", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:efb7e2c9-9741-5298-ab53-b4e96da33624", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6c49d41a-28b6-53bc-b131-d5f5226dde59", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:96fe63dd-a2f5-5a15-a318-87ba1101d95c", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:cd8bf4d5-d9f3-5399-96b7-59f61b6f70fb", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:60d90d61-4c69-58c7-8647-37898de4094d", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:de050f3b-2fe1-5eac-9258-9cff2637038a", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1b061771-f726-52d8-b283-934df190ad81", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c9420433-9940-5108-863a-6aded11dd40d", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7106d46c-1a49-58fe-9f6b-ac2c22696695", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:231798a5-45a7-5a69-9ab0-82ce54ea55ee", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-beans. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:664710e4-4c7a-5afb-9508-94acf67dfa4c", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a1344402-0663-57ca-85b7-5a967eeafe31", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7ed08a9e-9a49-5053-88f8-5276ab925420", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2b54b9b3-ef21-590f-97f6-550670e21d56", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1d8cd8c2-c168-5d4e-8963-135ccbb1e76f", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e35b8c5b-4700-5678-875b-ad9601750564", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5d78f1b9-d575-5193-8435-532fced54a2c", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5fc1f094-fce0-548d-8991-c7e5bf813e0e", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:bcd20f2c-be11-5835-badc-819da6cae721", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4b432ec4-8f96-50c0-a114-d39ffd37daab", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:20bea720-fae7-5256-85a1-e56bce540fa7", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8479e2d2-b918-5ebd-ab3a-8c512c2b834f", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2130bc58-a066-5f8e-a6c3-7f5491844004", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:88ce04fb-03a7-544f-8c57-3dc81a01f072", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39.tuxcare.6" } ] }