{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:26b8285a-a743-56e0-9f3a-0048f7cad551", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "6.1.21-tuxcare.2", "purl": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:e04e5c9b-056d-587d-94db-6d3d80657a66", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:96671cd2-9ecb-5dc1-a116-9e26933ea158", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c79b399f-d1ca-547a-aaca-91d04e2ba2d2", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9f1f4336-b253-57da-a53c-ed5fba7c770c", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1f110354-a664-5f45-8429-d31a7555e74f", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:cd3bdcb0-7be7-5f86-b568-0807819883b0", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c707d02b-3e7b-55c6-8164-f8e3fe8d75b1", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a586daab-4bfa-5a26-aaeb-5b06849c0746", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d8d1bf45-ad50-53b4-aa81-5e0d7b7217e4", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:bfb60d09-0a57-5a3b-bb35-56cb96e5cb19", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e9cfc412-42ad-50ce-bf52-e25b33d4e2ac", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:49d4b9e3-fd43-5c22-a874-a50a3ef53dc6", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.21-tuxcare.2 of org.springframework:spring-expression. already_fixed \u2014 The target repository (Spring Framework 6.1.21-tuxcare.6) already contains both upstream patches that address CVE-2026-41840. The fixes were previously applied as part of TuxCare backports for CVE-2026-22740 (commit d8aa04a97f, 2026-06-08) and memory leak fixes (commit e7c90921fd, 2026-04-29). Both doOnDiscard handlers are present in the current code, preventing resource exhaustion from multipa..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a56cad73-1deb-503c-b79e-f226c04f4c8e", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:15499ac7-52c0-58d1-adfd-276e37dd76b5", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:06ed860a-34df-5760-baa3-004883f48650", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ff24c7d8-b8c9-529e-a10a-71e948096407", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b6feed8e-7e76-5bdf-b262-daa7da0bce01", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5ae2f609-6743-5631-8e3c-20845b6ef131", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9cf69d0d-c73b-5740-9eb6-1a611331c6e0", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:923948b7-f11c-51f8-b3c7-00ed4e3808ce", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:43cf87bd-67d7-55cd-9172-636e18f60cee", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:aff6d290-c520-5c9a-b1bf-e72b4a9bcceb", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:25b3a123-0651-5bb0-9fd8-e603f94d4005", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:85d3a504-f290-5f12-86f7-faf2e6146fb4", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.21-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.21-tuxcare.2" } ] }