{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:d80ec0ab-6cf2-52c2-9fa6-29c5ad7b1d26", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-oxm", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:12f218c7-d029-5be5-a792-6d49132f95eb", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3192da94-4715-58fd-ad28-a4e530e33c10", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-oxm. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e4f944f1-e025-5b4f-afa8-e1d4b08f625e", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:87d4b7b3-19cc-5bd0-b3fb-d03f59248d85", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f9dd6d1c-5211-5f32-8f02-f7aae0343080", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d4111a31-1639-5937-8887-b45d350cfa69", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:145d5673-6289-55a7-ad6e-ca8bc9633281", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9a11b5d5-197f-5d10-87b1-f6135154b31e", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-oxm 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7f1f2919-e533-5429-9b3d-2713701e9989", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0f695461-9f59-582e-8743-a8bf8c383b76", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8bb54373-13d9-523d-b2a5-08f8b9725f16", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:86ac625a-34fd-56e4-b91a-08b7a3416347", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5bdffba1-b114-5531-aeaf-0437afb8e677", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c3c8047a-4eee-5a48-bf6d-5fc7592a8b35", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:599c4dab-70ce-56b7-827f-bc430e1f2e23", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9d80c514-0f98-5b38-a044-8b3a97b6a598", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:20805df6-2324-538c-a37f-84304981a227", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d7a261a1-695f-5341-9780-7fdcf795cd92", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:57a71ea6-e102-587c-bd39-03bb87eb5233", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-oxm. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a2c5c5be-0592-5a84-afc5-39da5048445a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f0c09cab-ac62-5048-bf64-cdb72b4fa23b", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2e866637-8cf2-594f-ad41-ba7eb12fa7aa", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:62cf764e-cb3b-5083-b2d6-7e4ce75f5fe6", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9c7ff419-ad2a-5aa3-a237-ec219b3e3c41", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8e73e8c9-071e-55e4-aefe-8d49ea667bf6", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:773142e5-2d7a-526a-90fb-f37af180b284", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:492bced0-ee33-5746-bd8c-5ad2d3dffb2d", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ce82f0b3-6dcf-5235-b648-1bdcc58f525d", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f4f09960-55fa-5d16-8328-2d5455e42c81", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a40011de-22e6-57cf-8471-a0d93aab291a", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c74e28de-9056-541b-aafd-d486f1581233", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8d5bff10-f7de-53ff-86cb-b50c311b9a9f", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:333043a1-755f-572c-b6f4-820d2a91ee76", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-oxm@5.3.39.tuxcare.6" } ] }