{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:69c5a13f-c7d4-5b59-b9ea-a3f53f78dcd3", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.30-tuxcare.2", "purl": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fc776053-4318-5f17-bdeb-58ebb723c83d", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c4b1f11a-401d-5d86-8cfe-34b8abe7da33", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a64e3c83-8bb6-537a-aac5-435e9bd8fc32", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:faac3b35-2014-5c2a-8f49-3b68631d8e72", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f09a3aeb-dbef-547c-9dac-e668bf3e984a", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:58a4d98b-c82f-5e2d-8e40-c7b742dff3f5", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3a907f73-21e5-52c8-8844-ee3162bad7dd", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:85c4b032-ee47-5d3b-a270-aaa5a0728964", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3d15bd93-0386-5617-9c3e-ed458ba7619a", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:93efc9e8-2b43-5e6b-af8e-6b2d76d5bc05", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2febf9bc-db5e-510b-b825-9a37039ee433", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b5dab509-7a4e-57d4-aff0-1d2731189ea1", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:159fc312-7e2f-5fc3-916d-01825b534804", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:645cafd7-b040-559b-8d45-85e279439ec8", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:08cf5d93-1065-50c1-999e-86f74c7642cf", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:700410eb-e392-552c-8140-65c8e42dc683", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c5960f3f-b5eb-5a41-89b7-39d3bb11226d", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:45d317e2-999a-5810-bec1-186370d5f0ab", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:bac8b797-0b34-5839-ab7c-7d32e236a9b9", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:47a0dd03-e5a7-5967-a0b8-8585a5c396b7", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9ebced56-2d51-5cd8-b93e-f03594747272", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3b33d9a1-abf5-5049-b47f-8a0216ba4af9", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.30-tuxcare.2 of org.springframework:spring-expression. already_fixed \u2014 The target repository Spring Framework 5.3.30-tuxcare.3 already contains both fixes for CVE-2026-41840. The identical patches were previously backported by TuxCare as part of CVE-2026-22740 (commits 1a619adbfb and ee9443b0bc, merged May 2026). Both doOnDiscard handlers are present in the current code: PartGenerator.java releases data buffers on discard, and MultipartHttpMessageReader.java delet..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e34085cc-1eb0-5544-b18d-382af266ad57", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b19a8ef3-bf0e-5f04-94c4-370c4b7cf614", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:80a20ffe-4b53-5715-aa23-a910e35f702a", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9e642573-5e4c-5666-8300-88b3257e97bc", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:771b37dd-c247-5e20-ada4-f9c13cf7dd8e", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0e49764d-e6ad-5113-a1c3-634e02479fbd", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:18c1f57f-db6c-50f8-b8ca-89824b0d4e31", "id": "CVE-2026-41847", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41847 does not affect version 5.3.30-tuxcare.2 of org.springframework:spring-expression. already_fixed \u2014 The target repository already contains the fix for CVE-2026-41847. The upstream commit 07ba95739bf4451742e4ee6b4d4b2d0ee5f701bf from April 2021 is present in the repository history and is an ancestor of the current HEAD. The vulnerable parameter bug in the Kotlin Router DSL filter function has been fixed." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5aaf1612-892e-5929-b9ac-1b88c0869e6b", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:31339735-fcb7-58d3-9160-c6d24bd775c8", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:74e124c1-378c-55cd-a038-dcbf81f9afed", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0afd6db2-4506-5c9f-aa20-67fde589bf38", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:927aa616-6011-5710-a29e-3d1b93c01c22", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5be0d7f9-b7f7-5e48-b5f2-3788c849f108", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b1f760e6-9459-5b55-8e02-c79707db92a8", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.30-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.30-tuxcare.2" } ] }