{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:b82b3120-25b8-5a3d-b953-9deaa76cc849", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-framework-bom", "version": "6.1.20-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:99b6195b-db8f-5879-9bd9-82526fc1ba5d", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:82628e2b-7871-592e-9503-95a3c49ef52d", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9872670d-a089-574b-a683-094c2593401b", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:757eec27-58bb-5e1d-9707-14758c7a4f84", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:582654c3-f72b-55e7-b10d-566474b62c69", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4b86f480-dd0c-5669-a39d-728dd1e7ae21", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5ed020a9-1fd1-54ca-bf7b-a5788c4e9aaf", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9ed71837-a40e-543f-8fac-142578ff1885", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7a7fd3b3-1e2f-539c-ba84-07f1247558d5", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1d8e739d-c16e-5180-a08d-6e1e9377b60b", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:39f969f6-8b5f-54ce-8a3a-a718880407cc", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:27047996-7c25-5586-8b95-f9c9c856b791", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:32ce2c9c-96c0-58ab-942c-70f20b2afc70", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:315617fb-a6e2-5a82-83d8-0af19d0c111e", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a3716a0b-1c92-5825-8cf0-007e608c0136", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8a57da8c-01a9-5fc8-9253-c6a330a5d00e", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ae91c196-86ec-5c0f-b586-980c874ea7ef", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2ac8f4d0-d479-56d9-b639-2fc295aa4513", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ff6b7f54-355c-5051-a95c-04659a39580c", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2b56c675-d579-5ab9-bece-3247ce6c013f", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:21265892-ecef-5893-ac29-8d0e0e028c55", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:209f1872-02a3-5a81-abf2-4ed97a616eb8", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4ae95223-cb5f-5e11-8da0-a2664f5d66c3", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7ec75e6b-8652-5a2f-afd1-a1728b399b57", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:34663446-d118-5740-9ceb-6138701f852d", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.3 of org.springframework:spring-framework-bom." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-framework-bom@6.1.20-tuxcare.3" } ] }