{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:b2d3b0ad-8f05-518d-a006-4093df186481", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-jcl", "version": "6.1.20-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:8dae7b28-36f0-525f-8a67-769ed1ca4435", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:27cee3bf-d622-58e8-973d-91b9c8d8376f", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:163abc22-cf0c-594c-9b10-1e77205312d8", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:878f7e0d-1b56-59d1-b9e3-f160251042cd", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:00363d2c-3ad1-5c9e-b115-153cc01701e7", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7f87fcce-09be-5faf-96f1-405e311988fc", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ec805a57-2862-5054-8b91-a962a9c6dfbe", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e465aa52-4acb-5247-9c12-38a6299228e9", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1c7a4d70-abaf-5e24-a3de-d44493c85b18", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6aab183e-75ab-537d-842d-040f4a48c006", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:519ee96b-ecda-51cc-809b-c1f765e6cf6c", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:47016fa7-3f51-5300-bd15-0e4d0a19e74f", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2ba4d4dc-a80e-5c46-8554-ff8543e8fa77", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.4 of org.springframework:spring-jcl. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dc927030-b8d0-551d-bd3f-1cd047e45348", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a27ac6ad-2cf0-5ac5-99de-7dbf627633e1", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:54d20869-b2d1-58dd-a30e-4bc76ebc624c", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:beaa7371-fc34-5719-a61b-914d6b87503a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:68246351-13db-5240-b9e8-93a4977403e6", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:072e5943-ce22-50f2-937a-ebbb86da49b4", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e2844f50-123e-5797-b129-b7ee29757695", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1495bd66-2c8d-5376-9379-04fe44ad871b", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2f9fb3d5-e8c3-5ad3-a208-b6cb3bc241b6", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5c0e6333-5424-56cb-bd36-77afc7aa2d81", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bf154dd5-d3aa-583d-ad95-110de1642368", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6c1e1572-e2bb-5dbb-9a0b-0eeb5b9c7848", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.4 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.4" } ] }