{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:7a3ca1e7-0420-52cc-a70f-a98b71e87c84", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.31.tuxcare", "purl": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:db9b6332-a8d3-582a-bf2e-8257128b35ff", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:7f47f600-44c6-54c5-b1ae-98e89882ae49", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:02f03859-b52e-55f7-9b35-e46efc68ab3d", "id": "CVE-2024-22259", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22259 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:20097c46-72f6-5751-ad65-fd2cd326d721", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:9355725e-d551-595f-9dd0-033bb181905d", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:3bb00b6e-7443-5cb1-a2bb-524e5ea9429b", "id": "CVE-2024-38809", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38809 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:c52bb0c9-4cee-5b1e-bc77-f1ded94b969f", "id": "CVE-2024-38816", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38816 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:e8e2c816-8a52-5b7d-a011-d342ba7c6246", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:cbe4b87d-8bd2-5515-acb6-daae2624648f", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:40be6733-4b73-53cb-994f-dcb8506749fd", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:4bc4faa3-4af1-5d85-851e-0db16b716aa7", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:44963f6a-c1d4-5a05-a224-7c89588c0b6c", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-expression 5.3.31.tuxcare." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:dcc37c89-3340-5f44-ab94-0082abf244ae", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:13f8949a-3295-5ee5-b22e-da8d390ff308", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:b7b341c1-4e0c-509d-9e5e-1e04c24ae309", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:ad5bb096-8055-588e-8d4d-9f565cd5ceb2", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:ad346da4-adb8-5e83-bda5-0a5dbff2c3d9", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:650d29d1-dd9c-5f00-be39-80b0d01e4989", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:648b3a4f-f6fa-5ff5-a93c-d8b4946654bd", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:21b61c1f-5418-5add-a9e5-43164fedc8dd", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:06881f3a-9956-559f-af1d-7bdb8a706ddb", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:9bd2a87c-2656-5db8-a0d4-f7f217c3014c", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:32126813-98ce-5f33-9374-d565a6b35e8e", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.31.tuxcare of org.springframework:spring-expression. already_fixed \u2014 The target repository (Spring Framework 5.3.31-tuxcare.3) already contains the complete fix for CVE-2026-41840. Both required doOnDiscard handlers were applied via commit 615477c88f (labeled as CVE-2026-22740 backport) merged on May 4, 2026. The code changes are byte-for-byte identical to the upstream patches." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:10d484f5-e6ef-5795-85a5-21f40d88fb8c", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:78f7ff73-b278-5197-a3d9-6f0510c2b526", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:42adf1b2-7b35-50c6-89f5-668d68510121", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:ae3d66e8-325e-58a0-96df-1058ab78af48", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:832fb02c-750d-5328-8a70-e6409fd10098", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:00ee9dc5-46ba-55c5-bc98-e07b86e5984d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:a2160e93-a8b6-5445-9745-06509e04ba76", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:0f3bad79-6e3e-56de-b0c1-dc1a89221a4f", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:a2fdf760-d9da-535c-93d1-231b74a685ea", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:46921c49-5bcf-5217-a9dc-11ac1dd5e938", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:b280dcef-15a3-5ea5-99a4-7af7eaf6fea1", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:f1841e1b-bcb2-5d40-895b-c77b2c75e6f5", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:6a1bc5c8-b389-58ff-87e8-c3f14babbf76", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }, { "bom-ref": "urn:uuid:6afae783-e854-5c7c-979b-468b0b754210", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.31.tuxcare of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31.tuxcare" } ] }