{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:7ea8b839-137f-565f-bdde-4084fdd2323f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "6.1.20-tuxcare.1", "purl": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:98035c4a-fa0b-5046-b41f-080969f94672", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1272a5ba-8f15-59cb-b333-8e76e05f96cb", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:065995cd-8d91-56b3-b2bb-30e98f1b226c", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cb0a1179-dd8c-57d5-8d80-206d6b6d6b8d", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ad1a9cc5-2557-5dee-b94b-e71ded2cdb08", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:173e81d3-d9cd-5dc6-87b9-a6b747d30935", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ee3e8e60-9330-53bb-b0ba-913b84cfa405", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0a93e017-faee-5e5e-aebe-32d3f25aaaf4", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3e344576-3676-5a31-b77c-c8cd994066d1", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:377a7c8c-5653-5c4d-bb60-f9857250d968", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d482d0e3-32c5-5018-a048-a2db5470cc2e", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:71626e83-828f-5b56-b575-1f8395c2fb66", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0caccd16-654b-5324-b3f4-359f64d597fe", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.1 of org.springframework:spring-instrument. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8a928598-a6ff-570b-ab92-7cd085f981a8", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a14f36a6-3a47-576a-88fd-53e7ae2ff096", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4059a456-72e5-54af-9530-7e4939aa2e5c", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c480682c-5f0a-5b5d-91c2-5d4b04d20dd5", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f82d81d2-cc0f-5cd6-8be1-35f9a95be7d9", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e32e88e6-c834-5130-ba68-32c6c884acb2", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9458cc5e-2b58-5325-a7f8-df67cf021947", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d18a30c0-54fb-5d5a-8b8d-d327f5b4a1b3", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d301e468-fc24-5de8-815c-1906f31562ae", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5cd41882-9606-5c84-95f5-9dad088dd51b", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:255af346-2cae-5b7a-bd6e-fdfcbae4dd33", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:82062334-6fca-5c84-923d-75600408bf67", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.1 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.1" } ] }