{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:d77079ed-e9fa-5870-a17c-3473768dc74c", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring-oxm", "version": "5.3.39.tuxcare.1", "purl": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:0542c050-e909-5296-ac9a-2a689fa2faff", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5a564635-a03c-5def-b0f9-fe2d5e4ca5ef", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-oxm. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0068e04c-deac-5f8f-8640-d0bdd4e49d5f", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9754b1f2-3f85-5213-a35a-ca12c59e573b", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:65baec32-3270-503c-aa29-4c5a65c403b2", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7310a2f2-1fcc-5dca-a3e2-d4b8c5addc90", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:62cee25d-1faf-5db6-b42d-9be8d96db2e9", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:71c55e68-f695-5e81-9438-67379145002f", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-oxm 5.3.39.tuxcare.1." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:23e35d89-840c-51f2-9ca2-2c452126ee33", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ae98de29-c220-5628-a5b6-a878fb8f0b41", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3c731e6e-ecb0-5296-b44a-943583e5f442", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:715122f1-4df0-5673-928a-17353b166e87", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c4a04099-8426-59bf-b44e-5d7795d8dfe1", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ba1b8e5f-d440-573d-aa78-9e3836de144b", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2ce0cef2-d019-51d4-9fbe-6dd6a0d95f04", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0506b512-22bc-5fdb-bf0d-9938f0cb35e3", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f70d3600-568e-5300-bc69-7c5ab09653a0", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:33606841-5ea3-58af-a82d-e13fad73746c", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7f4f5f4f-7f5e-5f7a-b166-9066117e5f7b", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.1 of org.springframework:spring-oxm. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b6842d49-6fca-5f93-8033-b866f71487ad", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c1d7ebb4-8036-565c-bc92-d41aab0267f9", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:27fb76a5-533d-5779-baf4-2a76da3ceb82", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2200b222-ba26-5c5a-8bfd-4b63ed0c08c5", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e2ed51a5-7094-57ee-b049-841d58389235", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:5f41df75-5057-5b81-8e15-d3a08dd2a401", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:eba4da9d-4d8f-5e7b-8f3a-6e432ba0696e", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:269fbbb2-04eb-58bd-a1a2-207a9c748a1d", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1225f3fa-510e-52a8-98b8-b53a9644233f", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:de5b95aa-fb8f-5c75-b278-d3733525a514", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f98aba33-dd9f-513d-9a3c-6c394ad8a19c", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c67bd8f9-b461-55b6-bfc2-9e99f7b8f40a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:abea8e5f-f602-5309-b054-7a091f0d61dc", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3aec173e-98ce-51b8-a272-8bdf4c304c0f", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.1 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.1" } ] }