{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:dc666b2e-8308-5ed8-a133-3fbfda29c951", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "6.1.20-tuxcare.2", "purl": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a1be2fbe-ff1b-5272-8248-e18e783961cb", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e04ca065-cc10-5b56-b13e-33ab4c3929d6", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e08a2073-aa2f-51ad-864f-bc6421b6307d", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7a4a34a3-2e86-54fc-a13c-14defc5bc99a", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a37f55fb-cc66-50f2-8c1e-dfc1c0980388", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:223003df-bddc-5340-9bff-9c695b0b286e", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8f6e9a74-a36b-5573-b311-1e7fece2eeae", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d0b37c36-f0cb-542b-8408-2a5a2a2e94ad", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a04b50a7-ed6b-55a1-a5c9-564545dc0415", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c29e7d0f-0b57-5e5a-8012-16a43cb095bc", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:cfd93b20-b29d-5a5e-93ee-bfd6ef885263", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:70640ef9-5685-5c22-b924-555ae15c6adb", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7e209c98-b9d9-5ed2-bc7f-75a09e68efc0", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.2 of org.springframework:spring-instrument. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a7d25925-278a-5689-ab0e-bb5b7906c6b3", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:87cf9420-83c5-557e-b015-6a952318e6e6", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9c6186ad-0d90-5230-ac0f-487c14265531", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:896350e3-1c97-5aac-a1d5-7ee4dd6fe5a0", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:524ce898-6f58-5704-ab31-91e5ab56c844", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:def9507e-7b03-5f3e-984c-98c0c2fecd73", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:af95d786-a94d-5c40-a8c5-2f2bafa93391", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b1c03701-7036-55e8-bb25-21f51275d6fb", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c40e45f9-ce97-5286-b89e-4b042dddba33", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:890ff16f-233b-5abc-a892-73109992973d", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:9b1629bc-a2d3-5679-a227-721e1ace20de", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:96af99c8-a601-531d-b81d-a37e5dce30a4", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.2 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.2" } ] }