{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:da3c9fdc-da60-5610-bdfa-bfd5f1d8fd01", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2", "type": "library", "group": "org.springframework", "name": "spring-r2dbc", "version": "5.3.37-tuxcare.2", "purl": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fcd42601-cf03-55e1-9b7a-c7ce5c4c8221", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7cbc6318-522f-5e93-9a5b-965823546e38", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:75771ad2-0cd5-53eb-8bcd-bea13fb4e2d1", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:de93cc7f-5ad7-5b0f-9108-dd73a800868f", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6aaa442b-118a-502d-a049-16304ef45239", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:769d36a9-c61c-590d-a189-d57f27d53872", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7b8bd4fc-75bf-5eff-a34b-0bee2c2fbc3c", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:85ed440c-3fdf-5a29-9a27-ca24c7f609cc", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c0b8f2de-bd14-50f2-b759-2dc2f74773a5", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1a4c1cb9-0f81-5494-b39e-07cd5b9313ab", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:10f97db3-0c4d-51ce-b1cc-0028fca22cab", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:99989af2-476b-5d98-aee5-8e6081ba07da", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:09f21906-c59b-5942-8063-98ec67b08822", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6ddd84b0-12a6-54dd-babe-1a64a75b8915", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3b839e40-b478-5a08-a8a0-60d3e216496f", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b7656f09-c233-5be2-b628-4bf9dd813705", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:39293702-f558-5978-b98c-f2876dee48d0", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c9a93f76-00bd-5fa5-ab34-a0f3d96bc5da", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:af8e101c-a553-5531-8d05-1ab63cc85377", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc. already_fixed \u2014 The target repository (Spring Framework 5.3.37-tuxcare.6) already contains both fixes for CVE-2026-41840. The fixes were backported on June 8, 2026 via commit 648b33d0a3 as part of CVE-2026-22740 remediation, which addresses the same multipart memory leak vulnerability." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:89ed7830-73e9-519e-856e-3b98395eb51a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6e215cf0-1604-575d-b24c-672be94783be", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:109fb12d-efc2-57bf-997d-6a550692a3c1", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:30758927-589f-5922-b0b8-c6616cdb0bf9", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c7ac2fdf-8cb4-5787-9713-fa781c897dd9", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7ce29ae3-093b-5c96-aa54-140b4a4e8d72", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:2d5aebd1-c7eb-5632-92f7-5db4769fc4b6", "id": "CVE-2026-41847", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41847 does not affect version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc. already_fixed \u2014 The target repository (Spring Framework 5.3.37-tuxcare.6) already contains the fix for CVE-2026-41847. The upstream fix commit 07ba95739bf4451742e4ee6b4d4b2d0ee5f701bf is present in the repository history since April 24, 2021. Both affected Kotlin Router DSL files (CoRouterFunctionDsl.kt and RouterFunctionDsl.kt) show the corrected filter implementation where the potentially-modified request pa..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b305b2eb-e217-5798-b263-52ff6588a526", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:927e6f7e-e6f6-56a2-9c4c-f7bd3486215c", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3330bb63-a962-5472-a973-268c3be61ce9", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c7442f7b-1df4-53ee-afa1-fbd01846f383", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:0557ec5e-a831-506c-a8b6-0f4fb1fc29c8", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f1da6926-d71c-5e3d-98c4-7cb518123bd8", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c0252ead-7323-5407-83ab-9fd0e962de23", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.37-tuxcare.2 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.37-tuxcare.2" } ] }