{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0e8258a5-847a-584c-a3b2-b8856aa79344", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "5.3.39.tuxcare.5", "purl": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a776f5d9-257b-5b52-9e12-f7e0cd97c109", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:daeb23fc-c6eb-5027-8f9d-8689bcab33ff", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.5 of org.springframework:spring-instrument. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:11fdc9ef-06ac-5d03-94ce-d63ab3b20b33", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:14fc8ba6-deaf-518a-a6a1-2bc4fc3c2b22", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:1ba05c1e-a9a2-5d6b-87a8-9713c27ecef5", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a317b4c6-20b4-5d69-8c96-c2c0ec90c92f", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:92e866a3-5f59-548f-a74f-025ed26054d9", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:bb580650-fd83-57bd-9f0d-211a4d8e6562", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-instrument 5.3.39.tuxcare.5." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:eb80e01d-db46-529f-bef7-d9616cf65e29", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:123134db-1397-534c-9b97-4da218b27afa", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d79de222-61ac-5fa3-9123-d08de1c000b0", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d50b846c-0105-5928-b726-64d2cac850a7", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3324e1f0-0410-59b0-9832-f3aa3dd3cb7f", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2e172e94-a6f1-58a9-8172-23480a584f5e", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3b364565-2c51-5389-89bc-6d0778220325", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:6437cfdc-f267-5824-99fb-7ca6d53fefa1", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:712a7ebc-0673-5624-9990-7d9851901a52", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:261b2cdd-8060-5dba-8746-75e022f1d493", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:7e584345-e6e7-5309-954c-a4a10ae6d9fb", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.5 of org.springframework:spring-instrument. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:8bce4a39-e0b7-5aca-93b7-86650ea587c6", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d80e5323-73af-5edb-8d0a-ddb39e1f6660", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:83e1515c-2607-555e-bc7a-1b06a10b872a", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:49f0227c-6d0e-5eb2-915a-50a8043dac9f", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:cbded872-f86a-5532-821c-61899c9a4c4f", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3f503ad2-50f6-5317-8006-86d43a2a9daa", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:01ddf6d5-6743-5abd-baa0-a75a2d2eb019", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9a879498-f644-5bcc-b8aa-0b942c3fddb1", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:aed0528c-52b8-5bc5-8794-f4d50babfe68", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a01c8086-19fd-59b3-b452-50b9f8b38118", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:c99bdfc6-9f91-57f7-9350-e1a9dba62709", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:1ec5e254-ab80-52fc-8c5b-532b68d75be2", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:8d1f55a8-f383-57c2-872e-984f75474f4a", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }, { "bom-ref": "urn:uuid:5d368384-827b-5e7c-bb67-8e2974f9c894", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39.tuxcare.5" } ] }