{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:86f78af4-52f8-5b29-ba84-37b0be238ae3", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7", "type": "library", "group": "org.springframework", "name": "spring-framework-bom", "version": "5.3.39-tuxcare.7", "purl": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:517437b4-53ce-5ecf-99bf-11d00126cc4b", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:a0d6d7b2-8ef6-5185-a8cb-55f5ebf36d9a", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:8bf9dda1-65aa-5076-a3da-31884c43f1b4", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:2e5cb3e5-a567-5830-81ff-5901b36f9878", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:29f775b7-62dc-5b7a-a923-dbc3f4896789", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:edc61342-19f9-50f6-9be9-daa64ccdc74f", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:75fc9a03-46d0-5661-b5f5-ef86eced8038", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:5ada8d1e-10a0-580f-a986-fa64faf440aa", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-framework-bom 5.3.39-tuxcare.7." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:65aa5984-da87-510b-bb2f-0fd23e8fa4f8", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:d3759e7d-7395-5a7a-8e98-e1c8bb22f6d1", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:86fa4d08-3f10-5604-b360-b373689d0279", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:021ad05b-c597-55fb-815a-cb246030cabf", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:c39317f6-d4de-5b56-b1e7-50ad195ddc4a", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7228b396-ac3f-5a7c-bc8e-b73f06779c65", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:8ed192fc-350d-5f6c-9aad-4945d3279804", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:920884cc-07c4-505d-9780-9a440543c59b", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:edf64c66-1e04-527d-9224-3c6ab6a82f77", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:41fc6337-9f6a-557f-8c92-cd1926ab3586", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:4f28b98d-4e72-5906-9544-14d13c5eb015", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:287c94a4-6189-5f2f-9ebc-a9eea01647a7", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:9983b36d-8328-5b00-bc98-8649fe6522a0", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:0a36b2d0-1fe6-5f5b-8830-c7ddebdafd3e", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:b391c0a9-9718-5939-95f7-e905920c168d", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:f446d0ba-9ca0-5c34-9a96-7bf1ed5cc1c3", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:8933cf02-b491-5abb-9261-d185fb114cc1", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ef8774d2-4cf4-5a22-a236-84f4f994a0aa", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:db0b2120-c03f-5730-ae6f-f5deace9ad64", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7b3c8daf-3139-5d20-be46-08ff473e5fb7", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:beccac20-9807-54af-9dc0-6f55c86c6342", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:a65b3119-2f9d-520f-8b65-b848754665f7", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:17b47cc3-c7ab-53c7-9b0b-390a66eaa91d", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:eef6ce7c-9ce6-5b63-906f-4a52fce957e0", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:e8756660-dbd4-5e82-a8d8-4c4a89e44e1b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.7 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@5.3.39-tuxcare.7" } ] }