{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:44506840-e111-595f-86d9-3c05593b8adc", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring-jcl", "version": "6.1.20-tuxcare.1", "purl": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c4762faf-e805-5ec2-8f38-902edd2f7564", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:543a8c3d-2838-5d09-aa7a-ad338f0b6fbc", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:da81c5dd-bb78-532b-b18c-c3ccb035b782", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0c646d3e-26d2-596a-a68e-e931246fb5f4", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:10051d30-4a5e-5ab6-b78e-4e90c617d8d6", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:58f02621-d6db-56e7-a9cb-4e20bd28ecc3", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:deb33284-969b-593e-af36-04f44af121bc", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e7c98bcb-8464-5040-b288-49683698a76b", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f105e3d8-2eee-530e-ac4f-0194aa5aafee", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4795b6ed-a4af-568c-99a0-911219ce4e91", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cbd60e91-4637-5759-ac31-bb58ab5e94bf", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a86a3c21-8605-50ad-8301-4e977cb83a75", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:03d52fa2-3110-5553-8659-eadbc4b5cce8", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.1 of org.springframework:spring-jcl. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4df77552-3c2e-5cab-8bc0-e5ed63d007c8", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:70f99a54-bcc6-5dce-a4b2-25d5033406eb", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6a7e4ff6-7ec5-5fda-be18-6818b16fce2f", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b4bef83e-e7ca-5d1c-842b-7730aa5573bd", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:00ea7ebb-1fbf-5e45-a2f4-a20f077b3410", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4d9f3be8-aa54-5e0c-b0ab-48cc6f4f60c1", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a7341882-f953-55a7-a305-4e8b130f707b", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b10b6a77-5719-5129-9d18-2486eef6567a", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:70214b2b-8ba0-58be-a176-eda27b3a4655", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0a8752fa-868f-5623-b5e2-2af524570046", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3c4a9a3c-42a1-5f2e-a736-f3fcd043b88c", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }, { "bom-ref": "urn:uuid:94408591-8fb8-5503-9ae9-13aa0be12dac", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.1 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.1" } ] }