{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a0bb33e6-4bde-51bb-a89e-f90c4ece8d0a", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2", "type": "library", "group": "org.springframework", "name": "spring-orm", "version": "6.1.20-tuxcare.2", "purl": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1bb5abc8-ff08-5302-9013-4874f5cf9b1a", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8c0b3af5-6884-5846-a16a-1a2060385bda", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:95f4c704-ba68-5bca-adb7-00e84d567098", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:926c3ff1-d056-5ee3-ab1f-bac6116f1d87", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0b5c4da4-08d6-551b-b307-85b088178f47", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:425b365a-acb2-5f94-bcfa-209573ec6d27", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0bceca22-62a9-5526-9c79-2c74376beab0", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e546ed27-7a2a-54ce-b9e7-64f5dc4adb01", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6fae9810-fe6b-500e-8540-a48a2b5316f0", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5043eac8-79dd-5609-b21d-6dcf64e22a90", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8d0b8d08-d273-58b3-bf68-f398eaed7c11", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2a9a23f8-0459-58ad-8ad3-9bc855fe5011", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:34b8c0e9-b057-54e0-984d-277597dd68e8", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.2 of org.springframework:spring-orm. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f18d10fe-9eb5-5fef-9f24-924ee4b46678", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3ce5571e-abd2-595a-8969-5dba4df40fee", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:86a3cfa1-e529-5adf-9b30-ecd124bd5949", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b00806c8-0f71-57de-bb57-b49363b0e15f", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a1ccc310-6d62-5c6c-91ca-411894e1dc01", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b8695c49-1e85-56a2-89a3-49d53733496b", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3d7f3298-a4ff-5acf-9f48-f87ab8981765", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:91bf786f-f01b-5288-ba3d-acfec633423f", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:48b67718-169f-54f4-ac8c-59e33d32626e", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d4ccb395-bee1-57b9-af80-ffdef4d25677", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:600427f9-ad83-5f4d-ac81-3ba96334163b", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6dd94d51-3d46-5493-9c3e-1183cbf678b9", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.2 of org.springframework:spring-orm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-orm@6.1.20-tuxcare.2" } ] }