{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:472260d9-1c33-5523-9150-06bae5ac4db2", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-messaging", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:22556e5f-d4e0-5040-ad00-042bbbfc2166", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9d09222a-13be-598a-9103-cf5827fe19ae", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-messaging. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0553ec80-2dd7-5663-96b0-b5e30bc45c72", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9c4bf42b-e937-5765-baa7-6d0b854943db", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:edfcd242-dc2a-5fa0-b3db-292d56261079", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:fd332f63-fb0e-5256-aa68-b2a58eaccde1", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:fa0da3e6-1f05-5788-b573-982354c1de96", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6fb92be5-898c-55a1-b75a-e99aa66acbba", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-messaging 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:271830cb-5776-5fde-ac19-7c303eedab4d", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:89f6f602-72fc-51f6-828e-4a9a31a25c41", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e32e933a-0d9a-5570-8ed0-3f5ab4de3a2c", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:03058df1-0c3b-5b3f-9fb9-b6222ec3a03e", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8fc6fc1f-445d-5fa8-9042-2d5df9a7e9cf", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:25642131-d4ec-572b-99a2-f99e90e70a2a", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a7bc3bf1-ce5c-53dd-8c9b-0b0e1eb76fb5", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9f5893dd-01b2-5092-af61-ede310dba80b", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:00365c85-f2a0-598e-a840-e12108185613", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4af3f247-ae6e-52a9-952f-ead145a48700", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b8ef70f3-99a9-5c7f-ae6c-faa0f1a73fe3", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-messaging. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1998c1b8-1815-5244-bd3d-3faf7b4068da", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:110808a9-dd34-51a4-8059-fc2e9ae0a776", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8fbaa3cb-d2ad-5be9-917a-c5f7f3da4c7b", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1a3a8baf-7713-51d3-a5ba-7483664477e9", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7e3ad54b-997b-5a2a-ba0f-5a0078df6323", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1013ba98-d25f-58ec-975c-f822c0b7e94e", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b340a3a8-26f2-5f3e-a93e-d1af20fc4271", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f683f43c-7662-5832-8040-8ed6021b9f39", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4fad5281-f798-59a6-958b-7553bcc1d20f", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c816cea3-fb5a-55ba-9b5f-b3cbf5681def", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:41f4434a-004b-54bc-b2a2-106436562601", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:842dae7b-f0f6-59a6-b67c-0c5819afd54d", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:00f9a4f5-a53c-52b7-bab4-d786b989972f", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:bda4a47b-76d7-5860-9236-f26d8ad0d355", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-messaging." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-messaging@5.3.39.tuxcare.6" } ] }