{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f52ff6ec-295d-57e6-9f9e-aa0dc337f38a", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12", "type": "library", "group": "org.springframework", "name": "spring-oxm", "version": "5.3.39-tuxcare.12", "purl": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ee3cbc57-284f-53d7-83cb-4ddcd3c2869d", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:b180e514-09b6-5b85-b515-3378ce78897f", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.12 of org.springframework:spring-oxm. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:5c26efce-b19a-50fa-a756-1ebf2c013215", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:36e9819f-919f-5b82-a632-935d8b22b8a7", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:1addf773-7f85-5f02-99dc-0fd250bb2f0f", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:7c558fea-dfc6-55c9-a799-73798c6660e7", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:1a42a10e-d72f-5539-8bbe-69389a0d0b38", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:99598d78-b495-59c5-b248-f62b08138a20", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-oxm 5.3.39-tuxcare.12." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:37dc61fa-c243-5264-8dbf-d954031746eb", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:1bb28623-e7c5-59d6-a685-4deb047ac0e6", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:b36c141b-09dd-50fc-b89f-0e0d880ba5ff", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:74cd035c-d85c-5522-bbc0-a3d2045a23ef", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:32b10cf0-c5cb-5766-864a-9cec61589359", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:931b71c6-20ee-5bee-9c56-0959ce079086", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:990c5a11-0881-545f-be4d-38e33915ad64", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:a49e13ad-c17e-5855-9d23-9bbf977e9b8e", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:a2f9646e-58d1-5e10-962e-48421a80247a", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:0b9756fa-fffb-5168-be04-d13730a478b2", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:026a5b9c-a643-5e62-beb3-5a47be739623", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.12 of org.springframework:spring-oxm. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:46abdb0d-3360-50fc-a5a6-b2db4de25239", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:d4f00676-026c-5ad0-a7fc-2f4f9f0e31b4", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:421d78f8-f6c2-5721-8e22-7d7f8a003124", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:3a5d73ef-a263-5d52-b60d-148320cd1051", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:2c2fef45-6730-5475-88e7-d15c6aa10e40", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:0be53eec-c04e-5d6f-a82f-3d719f04c403", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:33f94548-95a5-591e-89c9-9853b427a6ca", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:a6d9e116-2b50-5fd0-8c2e-568b57eae6d4", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:2ac23fe6-b3e6-5a1c-abc7-e99550b2f412", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:ba902113-512e-5330-a748-49fb9dfe452a", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:a29cc0a3-0465-5933-9f91-12bbcaa93832", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:6505c7fc-b9bd-5074-8d29-ed7aca0745e4", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:c5aa2dd0-fd8a-5fbc-a897-a01914d0d156", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:9846423d-a2ff-5c2d-a4cf-9fc199961708", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.12 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.12" } ] }