{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:41de52f7-9b7d-5234-bf9d-05b7dce3f8ae", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.39-tuxcare.9", "purl": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d2f7d3e5-b3f1-505b-835c-e86e5885884a", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:cf120186-2156-5473-9e91-ebbd930c3023", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-expression. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:4f0598a8-e3b6-5c5e-b158-605dace75ab5", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:c36d457d-e22b-5074-bb19-6dce4fed0b7a", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:c88862cc-d8f0-55b3-bf6c-24feed8f2aa8", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:8dc1d7e8-6842-5dfc-921c-2f904a4b24bd", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:daa24bff-586a-548e-a1b7-9c57f33a1f92", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:55f447ce-67c6-5e02-903d-b655096ec2d7", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-expression 5.3.39-tuxcare.9." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:cb5d45e8-9fe7-553c-b46b-fbaed7e79d9e", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:eab73703-8ab8-5160-8b25-717418a5402d", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f265d10f-dbde-501b-af88-e95939ef46a9", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:059524d9-e444-5c8f-a2b7-2418e1c71ae4", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:35b0e324-e958-5bba-9c28-16eab7494288", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:742a88e1-ed5d-569b-ae18-1fb6f4d88293", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:47b025e5-3135-5f3a-bf92-abf512b9d100", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:852ee132-92ee-59be-b5e7-54ff850b75b7", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:e622bafc-f7f7-5cff-821c-fa9d46b8dd51", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f6aab46f-343e-55c2-a324-4e1356bc37c1", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:90c2fd0b-2e62-55db-90b2-63858bf388c3", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-expression. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:045a6eb2-945f-5516-be34-7c5c3a0d0927", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:71114e40-af16-504e-a210-f6b744641351", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:2ff9fcf2-00aa-5d1c-bdca-1e26c917ca56", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:22d75776-c4af-5102-a047-258c9a66a5ad", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:3893678b-e859-5321-9bac-09dc4137e4c5", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:e158b158-5113-5f02-bb7a-d23e9cbfa815", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:cf4fcb11-dc44-5d11-b29a-dd72830aa408", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:d712fdea-f732-5900-9b84-2129912dbb3e", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:a2ff2161-1e35-53df-8d27-2d82bcc714e3", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:7744d116-a363-51fa-8e2e-048307575eed", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:fd21089a-9894-5239-90da-02c34bd8f106", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:0476ec25-bb25-5527-aee9-361156a24a60", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:e3651bcd-30b5-57b1-ac5d-f4e0ab1438c8", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f2726202-fb96-5319-9052-755095918adb", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.9 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.9" } ] }