{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:17fff081-6e7e-5715-b714-8fc649c2d379", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7", "type": "library", "group": "org.springframework", "name": "spring-oxm", "version": "5.3.39-tuxcare.7", "purl": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:3be3b128-bbb8-5087-8686-b42c96932a35", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:6bfff434-d534-54ba-965f-a6be7cd4d7bd", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.7 of org.springframework:spring-oxm. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:2e154825-75c6-532f-b44f-43b3cb8c8e5c", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:8322c708-e5ee-5b05-bf99-720d2b8aed4b", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:d3b2052d-4ed7-53a5-bc2a-f74700a8645b", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:11f99f5c-a2b0-56d5-bda1-c6a677eaff0f", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:5f2c0c6e-9b0c-5cf5-9a33-49c7876d0b03", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:56673bd0-24f0-5958-8e1c-ffdf4d232039", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-oxm 5.3.39-tuxcare.7." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:c44ac3dc-ac3e-5897-a198-24a99c5640f9", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:3a179ab4-381e-5726-8783-0cd1d5028030", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:b8ce3d59-3373-59a8-8fb7-d7afc0b09c35", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:9277b3fd-eb13-5f65-85b7-adaa4a720752", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:709ba5b3-a4b2-52d6-b0dd-6655f81c4cd0", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:6c71c77e-6a32-5bea-b0b6-ea638bb93d28", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:d7a1e272-96ac-5492-8395-fab569290f2f", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:376cfb0c-5c83-535c-85e5-239d377fe9b7", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:63eb7397-381c-51be-b47d-a907ee98c922", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:238c65c4-21d3-562b-aa4d-a92cbea3d12e", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ed405662-121e-5419-8120-6184f962865f", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.7 of org.springframework:spring-oxm. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:cd0b1227-a92d-54f7-9b77-b5039237044e", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:4fe0a11e-5022-597d-9d63-847770895f5c", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7b8d075d-c4e7-5d7f-b81a-dedb3d95080f", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:e4fc51af-8715-535a-a10c-a8e35d562099", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:e6e42c0c-0e5e-526e-bc61-b1c9479810de", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:1ea82dde-19a5-5600-a3b8-b667bdad2750", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7cf978c4-b17a-5fa8-ba36-df31ceb4d5df", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:d849e0fd-dd8e-54e3-89eb-6d7f67f26d01", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:b8b512e8-fb6e-5855-aabb-a749d0bdb26d", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:745a441b-4131-5bb6-bce6-af2833e42338", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:41d504ef-e523-5fd9-8684-fdd58c9671e5", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:c47cdde3-27dc-533b-9529-359efa590bdc", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7d8d4ff5-5e74-5064-86df-bed42220e197", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:18d5f114-f889-522e-9c20-dcf2e26b947a", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.7 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39-tuxcare.7" } ] }