{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c781c32d-3b12-5e5b-8617-9b66ef931938", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "6.1.21-tuxcare.1", "purl": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:086f8d77-ed47-5599-8ef2-7501c46b27e0", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:964df826-0b02-55be-80c3-eda37643d330", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4cb7a70a-8cf3-5f81-a545-76ecb84ca153", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f98803c6-53f2-5253-8bb4-01c5c6ec1b9c", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:97c3d5fc-6660-520c-887c-08be9d2f4b1c", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0b8f8765-448b-5f97-a44a-4dd54311f050", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5438b1c8-9849-592c-b8b2-c4aa4f4a9f13", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:02acd403-1430-54dd-a9a9-77e292ba417c", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6686aa3f-fea1-5604-ace7-e9218f6382d8", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:519847e9-9b0b-585e-a049-18419b277b7f", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5d666d4f-c580-50b3-8e3b-1b94a2d1f240", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:931f314d-b2ac-55a3-8448-cf6fe97aab18", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.21-tuxcare.1 of org.springframework:spring-expression. already_fixed \u2014 The target repository (Spring Framework 6.1.21-tuxcare.6) already contains both upstream patches that address CVE-2026-41840. The fixes were previously applied as part of TuxCare backports for CVE-2026-22740 (commit d8aa04a97f, 2026-06-08) and memory leak fixes (commit e7c90921fd, 2026-04-29). Both doOnDiscard handlers are present in the current code, preventing resource exhaustion from multipa..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:368dfc51-6849-5351-acff-b8af8cee2cb1", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8df481d7-538f-5acb-b85e-8e30355e6b8c", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:09055167-0e78-5a22-9055-e2b08fbf3e56", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:af8cfc11-85e4-5ab3-ac23-f2eaa4d446bf", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a6e1cac2-18ef-5674-9163-0277068ad17f", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c3c8e6da-cd57-5ead-9d82-08fb8a141430", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ec272c3c-0fcd-5bc4-99a4-d41a9f45dd3f", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:46f40b81-f55d-5aa8-b608-6d3ce88b39ef", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ab789ed6-5f8b-5bac-9842-e619ff55ea66", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d91539b9-098e-5665-a8ac-6b0a71bd8d7d", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1a080e43-8c21-543e-8aa5-553f3bfb4649", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:63b74f9a-6f1d-5af9-b2b0-b39d8a27cb38", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.21-tuxcare.1 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.1" } ] }