{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:aff6fe2c-f2d4-5de9-a941-0cb9eb519768", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.39-tuxcare.8", "purl": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ae0deec0-4712-5a1b-be50-fc7d10a5dc44", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:8c96a8e4-3f30-5f61-a85f-83ff46395e23", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-expression. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:cb9c370a-7402-5de3-8b1e-da07b4ebd3a7", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:da1da3de-3496-5d40-8d73-ebe98656091b", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:b7af0fc9-298f-5f0a-9f4b-1afbf24af69a", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:5c8e7a1f-226f-5a87-8fc2-c62ed34e9755", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:a91154ab-0566-5fef-b7b5-7c64d2584202", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:d6b1d14e-0ecb-5e46-95bf-e776c4a307ed", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-expression 5.3.39-tuxcare.8." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:170b68c6-81e4-5ae1-b597-1b4d9415ffb9", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:714cd756-a39f-51ee-8e53-6c7259663ba1", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:7e9e512f-4ba2-5272-8091-afa0b94a7a5b", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:86b370b3-60f9-5b2e-818f-b7ab97b93294", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:26b06bdf-2f50-5da8-8440-45136da440e4", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:c771750f-beec-5283-9588-938a3b834efe", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:c8ed5f7d-7cd4-5c7d-a3dc-6d72068fc417", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:de5a852c-02fe-556f-ab1f-2ccde480b221", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:18b65c64-631b-52b5-a9c8-6599874e6d36", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:97be4e8e-da00-5805-b413-7cdd18752e4a", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:8f390315-2599-5f42-9c40-5667dc1555e3", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-expression. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:116634e6-c52a-5f83-8143-ab99adba7adf", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:220b9a7d-c39e-5c43-9290-d78da1ba6132", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:fbb30121-1cd0-5368-b306-7516887dfa71", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:7d8011ca-b23d-5ffa-8a5b-9da30b7b1e6a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:96fc6f25-6dc6-538c-b676-6ff7515d1b60", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:71b6a044-6f30-58e2-ad48-753e70bff2e5", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:b24a358d-15af-5c50-bbfb-3a60822cffe1", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:737c5317-25b0-51fb-a062-a487b6e36640", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:a5f2bf59-7cd3-54b3-a5a6-c0b75ef39a34", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:b388c389-3f3d-5afd-b504-08e55caeb5f7", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:a55599b4-7b89-535a-8405-219e94ef29ea", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:f7720afa-9b21-520b-bcbe-9a97eda4b664", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:730bf511-2296-5e08-94c5-8bdef1012762", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:27f38a4b-83e6-5a01-8a55-6552b36b8b91", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.8 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.8" } ] }