{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:07d061c2-20ea-5a9e-b5e6-db9bee13609f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.39-tuxcare.11", "purl": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:7a7dc470-033c-5880-a512-3463ac307d07", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:4bd873a3-20d3-57a4-8869-50e7d06af56f", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.11 of org.springframework:spring-expression. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:91b37fce-fb51-5ac9-94aa-91eab6ed975c", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:53288001-f949-59a8-ad13-fdd6b337ee6b", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:85e83916-35c2-5b93-a19a-c40f9dbcb819", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:701988f7-1e48-57eb-8d26-6ba053260f88", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:edc7dc5b-1c54-5fc2-956a-a88787fb3946", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:a6a0ab71-96b3-5b72-bfec-9bd6f920935d", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-expression 5.3.39-tuxcare.11." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:630472c6-7d93-5e3b-a3d6-b0f0f6574676", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:492e951e-6e89-578f-8542-d4ca0900b668", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:6db4c6d4-6bff-544b-9ff1-ba834640e6be", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:7ce52da9-bec5-5bc0-87fe-cf0b8ec7a7bb", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:fee0bc56-9a28-5be3-9b2a-731b87590059", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:31664f7f-fa1d-57cb-b183-6393acce703d", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:8a60f696-a5d0-514c-bba8-ac4dd9a2cbaa", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:e7d3b2c1-5ac8-5c18-8bc1-7c06ff2ebf9c", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:b117e475-e7ce-5e32-824e-5245e9165cf4", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:9cdb0249-8592-582a-876d-3d3115acc1eb", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:1a6b6bed-5159-5c98-9a43-00acf8cc01a0", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.11 of org.springframework:spring-expression. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:878fe64c-6a9f-5269-850a-faa641604f61", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:73ab68e4-5aad-5525-a8cd-338b5beda85e", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:1b699de6-185f-5e6d-be7e-347ef7a36831", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:5a926acb-1b4d-546e-a7f3-b6aaa5716f44", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:95afcb67-6aba-567a-b348-b2ed8f246c8a", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:5847397c-505b-5e73-bc25-540111187e57", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:bab04b81-799b-591e-b8b8-3aabc183f015", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:9a4f104c-46ca-5477-8c18-a0d98f153873", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:f127e9b3-78e8-5ba5-8913-d0dca2be41ff", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:4a94a527-edbd-5597-9181-0caca454ec27", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:cadf3917-dc42-53fa-990d-3b363961f6d9", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:ed385512-4421-5976-97a2-d8fdea94b5b1", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:1b94bb0a-1de0-54d1-8694-a212fe4f8d94", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:a631aa0e-aed4-5c0f-babb-6dff0646ffbf", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.11 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.11" } ] }