{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f88e70e0-41ee-54cd-b445-3483540a1530", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-oxm", "version": "6.1.20-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:7345154b-5c2c-5cfa-9ed7-2007e721a0ce", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2285be04-5e6d-5574-9e17-2b99b1aed460", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:abd7fe5a-5a94-5941-9454-f6a70c81af8b", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ec1dc28e-d042-5928-95de-fd2e4029fc83", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5e5250af-4c4d-5385-9395-7f825e350eaa", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9030e48d-a7f6-5a1f-96c1-bf15350439de", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:50afbfb7-7df9-5303-936f-9d4dda3eff17", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2173c0e2-70bd-5e5b-bddd-6873311c0e31", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7a920cd2-5cd5-581a-a353-95058d5f8917", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a0a2a704-49c7-53df-a616-3ba337bf2741", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:34c4a6a2-647f-5162-a664-9d49a116055e", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6ef5902a-95ef-5e15-845e-cdb84952141a", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b91b4bc7-f4de-5a94-b434-982660190398", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.3 of org.springframework:spring-oxm. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:02ce3594-5335-5546-81c6-a4941e84643c", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f4fccd17-2111-5509-9e2a-b6d0e3755d29", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:27ae0bd2-ba4e-5358-8701-7ec4ed5f5f48", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:da04c815-a5c5-5c66-a333-0c2287ec6f52", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:95f3a46b-4dd3-52d4-8cd3-0def8e66072a", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fcce3746-a3ed-573e-9aa1-8784b12ec71c", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0917bbac-6531-509b-928f-4b089c896060", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3f8f69c0-202f-5e93-a1ec-76fdb64b68c4", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ea5ded19-ead1-5d57-8c70-6bcc10b3d350", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:20e0151b-e44d-510b-a724-d55ae085cd02", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f6e40daa-7a4a-5068-a5e7-6ffef81198c6", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:145e421a-e6c1-5fa3-840d-d74eae6abd46", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.3 of org.springframework:spring-oxm." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-oxm@6.1.20-tuxcare.3" } ] }