{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:2d8edee9-28ec-5372-a63f-e49c2518df30", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-jcl", "version": "6.1.20-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d9c1786b-134b-5c50-9ab7-cbc92f22e450", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:59b3ffc6-43a4-5f84-aa59-fd03596bf657", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f7c337af-a8d0-5a2b-84c9-a673e76f61e0", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:52e1eb56-5e52-5f3f-9427-8dea00f98d2f", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d4d78c5c-18b7-5fec-98b2-b8a3831521e7", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d5301037-a8f8-521c-bc0d-bbeda73c32e5", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8c046a22-f1f2-53a3-a7ba-074114c8cf11", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6dcb582a-0575-5832-96bb-12f4648200d9", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:094bea09-1598-5ba9-8a3f-6b7572b30be4", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c801cca0-4fc4-5cb2-b61b-813b230fdc26", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:22d79345-278d-5866-b87d-e7fa51fdec4c", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9514dfbc-5b4f-56f2-872d-864db2feb607", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bd4ca5e0-a9ac-5545-85a6-58a782bb15b8", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.3 of org.springframework:spring-jcl. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9ac5ff6d-f87e-59de-af67-b85ddc750e6c", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6d4e490c-c8ec-560d-86bb-b26cb51bc37c", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:204a6d6c-eae9-5677-8e17-b0017bd45260", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ee9cd90e-1dcf-5623-8768-52153aa8e27e", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9167e8f0-02df-50cf-ac3c-7366785aaa25", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:da67a625-a26d-51d9-97f8-38e2ac07477e", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b22adfb3-6a2c-5c62-9923-4c34b2ab7dca", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b4a9ee58-0279-5c0c-bb7b-713f14b3c662", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f2da2c7c-2de8-5f26-b0b3-b6dae665c865", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0730713b-7d46-592b-9107-1897800d0ba0", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0b7d02e7-84c0-520b-9ba0-a1f4e2387ce1", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c25a2e60-a227-5fe8-aa65-4eefc9353751", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.3 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.3" } ] }