{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5390e77f-dd08-555c-99d1-2ac275b903fe", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "5.3.39-tuxcare.11", "purl": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:05261011-4332-55da-b656-c347899eecc8", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:dbf1cb6a-798f-5e6d-abef-95db934167d3", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.11 of org.springframework:spring-instrument. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:b6753ebe-a1b1-5a1b-bd5f-d8f9211630f5", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:3dd525b8-0bc8-5aee-9d39-76aca4430b3c", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:a381b0da-0b5c-557e-87ae-0f065c92fdd9", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:38fe549c-6dc9-5527-abcd-0a330b9b4a02", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:44213a20-3a94-556f-a28b-c6eed0725212", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:b637e246-9c81-5ddb-8c11-ad2f285e1b28", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-instrument 5.3.39-tuxcare.11." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:ad278e8f-bf6a-5cf7-bb44-021b47600d44", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:76976360-b06b-5140-b9e1-15d1721c3d31", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:99070fc2-57a9-538a-94b1-e6098bdac231", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:b8e20419-111d-5fd8-bb1d-4751f524a118", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:71608da1-0063-5bb4-b659-a85cc51cff79", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:ada3f7a6-357f-5699-8f78-4b81199266f0", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:4108254d-c73d-5f6c-94b0-b0278a5fa890", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:12977ad9-d543-59a0-a859-dafdabf8a51b", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:313dae34-b61f-548f-af6a-518c0e5e60d7", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:7ea2a1d3-d958-5d21-b9da-db005e1f945c", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:09adfa30-6c8c-5348-a0a7-bd9dfa8c19ce", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.11 of org.springframework:spring-instrument. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:0e0f6e76-783b-5006-bf1d-9c95aa762ae8", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:26226eed-4d00-52a6-8b55-2554598f35fe", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:7512beea-4d9e-59f8-a1c5-c57708b60b37", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:0811e10f-11b3-5435-9616-82febfc07154", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:c9b679ee-d00e-5ceb-a916-f1ab89c6bfc7", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:2a474905-e7fd-58e2-b1c6-dcdb69c74a96", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:de21c616-a30e-5086-8351-3904c18e03e4", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:597ae3b9-5d79-594e-a6ea-c52769eea04d", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:4f89c3f6-fca3-5e82-90a3-ccb399a64fc8", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:9d449e2c-82fe-5fbc-9de0-a121b59bc963", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:66ff6f7f-ca55-54b1-ad9e-ab75592a8f4e", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:ed8b9eb5-bc12-5a41-a80f-e3414764242a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:6c0b0eab-9962-5a30-80c3-513f5b377df7", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:9600075e-6dfc-5e78-9f9a-d40517a1b10b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.11 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.11" } ] }