{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:14eb1a60-4038-5fdb-a414-2deef3a9d930", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.39-tuxcare.7", "purl": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:52f5b9fc-384f-5ad6-9ce7-f61e76f4094a", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:e8e7d013-c0e1-5a9b-bbfd-609eaa9b9d81", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.7 of org.springframework:spring-expression. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:5dd390a9-20a3-513f-99b7-fadd52ebb068", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:399bf8ef-bd36-58c4-97fc-0d14dfcbb0a0", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:bef92088-fbf9-56a9-82ce-d4d68e15e8c3", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:5c4e6327-0b14-56c0-bee0-1a41cea10a8f", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:f50c7232-8f52-5e06-af2f-6f13a803db5c", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:39965855-d811-5656-8b8e-c108eb2ae1b1", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-expression 5.3.39-tuxcare.7." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:6b083b94-4c85-5036-b22a-9629f80caebb", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:603af712-bd76-5f06-a854-908ffeb1f5fd", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:2f4fa6ed-56f3-5794-948f-2f4213dc81cb", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:1c01add7-5311-5bc8-b154-864359108223", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7be73137-7356-5f2d-818a-2f398ed4aec1", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:916348eb-3e81-5729-a04a-b3ef34884287", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:8da5267a-964c-55bd-87ac-b9efa7db9afd", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:91c002ef-507f-5f59-a5a2-2f124cfd07ff", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:5831383f-89e5-546f-beff-92ca442d7baf", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:8da5c09e-c92e-5008-b2d6-a4de461c3cbd", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:beb21779-341b-5b73-9e11-94cc596a6448", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.7 of org.springframework:spring-expression. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:e96ebfd8-5224-583c-afc2-b885dce95104", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:3c303a20-62b6-5f86-9f69-86f3f835625d", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:f5f0774d-1159-5056-a2e4-2b17e198de34", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ec49aea3-d55b-5bc2-9cd1-25c851a64cae", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:cf373b35-794b-5b65-9364-dad30400e6c4", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:1354acb2-5a09-547d-aaab-86ee64588903", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ad01422c-d7f0-58ae-ac17-33ccf2c04078", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:b66c9308-a27b-5bc8-b8f0-71ec3a549a01", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:740d5a2c-3a61-528d-96b6-af9bf0ab7d66", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:73f4ae67-6df6-5034-8c4d-69e18b853b2e", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:316716ff-3ecb-506d-9dd5-b190d7332c74", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:60401c21-ea33-505c-b0f1-cc7aa7e2ff2c", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:a74e1a8b-3311-53ef-a1cf-1c8392626f05", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:b7cbdf18-ff32-5ca5-a784-72ce416978ae", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.7" } ] }