{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:2e1bf7ae-cea5-5643-8df7-ac97e322cab4", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-oxm", "version": "5.3.39.tuxcare.4", "purl": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:76ec29a8-01bb-51fc-beb7-644de35ce96f", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:73fc507f-1534-56bb-bc40-148a2fc27c38", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-oxm. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:05b119d9-5270-551b-946c-dc33b9a8d7c2", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:80beba6c-93a3-552c-968d-be6c0dad7efe", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:52e8c506-86d1-55a9-a548-d22c20092011", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8b7c4d78-40fa-520c-aa12-de8a40099e0f", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f9c38a4d-718b-514f-ac95-18d0bed214e7", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a2627aad-2cd7-5b14-ad9f-c4e4823891ae", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-oxm 5.3.39.tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cd1a84ed-1a75-57c0-b869-5586289c29f8", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:42b23c85-7a76-521a-9bae-90d8b1c6b8c9", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:40d4afa7-92d8-5b71-abfe-3c5aa3994946", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b87df9c7-3cbb-5daa-b382-463fd577c1c1", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4cb103e9-ef18-5c6c-a8e4-e1cc2bf0f2da", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:58bacdba-16ae-5390-a20e-94d4534b8425", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6b9fef62-aeb9-5d28-be14-2c94020fd764", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e270e833-e942-5c07-955a-b786ed9fd151", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8fa21dc7-6c5d-5f37-92fe-4653e8b5a8f2", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:281f10ca-0137-5f4c-8e88-24ecee00f6a7", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d5034b55-e342-50e4-93a8-555576652ab0", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-oxm. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bcc69588-b49d-57a9-bd38-a870b36e0f7b", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c44fc506-ac6d-5520-aaca-c3db9729935e", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2ffab532-7788-517a-af3c-d29fe01057bd", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2bc7e3db-1e5e-50d3-8d37-28419942f072", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bc71c2ac-315f-5892-be5f-8dae1fc23284", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a57ed1a5-8aab-5594-887e-220607e27f65", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:55290c62-6726-59cd-ad3d-be41582b6985", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:caf99228-6066-5618-a73c-be91629b6a4d", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c10fe2f1-acec-5eda-8cbc-5a2fa98cac4a", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c48a8fe7-49b2-56fe-9da5-b1f34853c324", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:426cfee1-ebfd-544a-8f84-6cb754074b9d", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b7fcae24-60dd-59e7-997c-7b19c5dcec1c", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0cc713cb-c176-5bba-8421-085a831f0c2d", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4a62747c-056a-58b5-bafb-10829f1a870b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.4 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.4" } ] }