{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f527a61c-53aa-5319-8e74-58441462927e", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "5.3.39-tuxcare.7", "purl": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:273ec8a8-45e6-51a0-9325-a9b9146b75a3", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:14304437-3a9d-52f6-b2d3-03bb8a560fbf", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.7 of org.springframework:spring-instrument. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ec0437c2-b645-5910-8d9e-98a336e5bab4", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:1aa78b70-9702-5f3a-8150-965d4cdb3041", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:f22b5de0-05bf-56fb-b0d8-7c16d733b89d", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:53fbe6be-5ac0-5657-a180-9aa187bde279", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:30d578e1-a757-590d-9449-eb2ec0cf08c9", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:03501fdc-6017-5bd8-b290-34a23b0284ff", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-instrument 5.3.39-tuxcare.7." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ad5ead53-3df6-5a70-8b4a-c133ae255d83", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:f1f376fe-0af4-5564-b93c-ba59a0e96b86", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:6a0338aa-8842-5494-b9d3-17a0624ca9fb", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:c42965cb-f2b6-5b71-8750-e1bb09081970", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:1f496b2e-6888-5855-8e6c-404891dd8e77", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:c1a99af9-e6f2-5234-9f13-337ffeabdd62", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:22aa4f57-4f5a-5bea-bba0-44f5030ffd69", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:5afdd6cb-6fa0-513f-bf71-859dbe999592", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:2d5cfde9-48a0-5d76-9681-05d67676d239", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ab4cc288-d7cc-5f68-8806-8555f6834d2e", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:d25d8555-a193-5d51-b72d-294431ca3691", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.7 of org.springframework:spring-instrument. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ee3a0852-bce7-5119-baf0-349dfb1aaca0", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:cb0f15cb-0358-5ba3-a3da-0d9780c31c2e", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:3dd265ec-17c5-5895-9094-da0537eac385", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:e7cf8484-9490-515b-9258-8c2e96ea0856", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:5fcc8f86-524a-5e93-8ba2-a96c62faa0db", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:0cf9ed04-1e62-5881-b0df-751398d1da5b", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:8f7c7176-7daf-5c1c-bd6b-6ed9e1c81124", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7eb7a0c2-0291-57f0-b19b-d5d1481ea879", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:e742b1eb-64a3-5682-b921-ec0e18e268ab", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:6fa20d1e-e7b9-5cc8-8619-e22376e6863b", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:0d87a483-2583-591a-a976-c160c866d75f", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:3b83f48f-1f1e-53f1-9992-87fd0a881219", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:f48edfe6-0c17-5e6d-8ec7-85b5963b9675", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:adbc11a7-da1e-5fce-8e9e-e61eeede8817", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.7 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.7" } ] }