{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c6c62df0-57bb-50c0-9e8a-3ccfae7e68c8", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9", "type": "library", "group": "org.springframework", "name": "spring-r2dbc", "version": "5.3.39-tuxcare.9", "purl": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:bbc9840b-b48c-5caa-90f3-eedddf42e662", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:c970de15-a157-5d85-8b5a-64b67e010705", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:6f5718a0-d39a-545e-805f-f2e0d1624605", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:fd6b1839-4754-5c1a-96e0-4ea3d1f3e503", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:021f0983-6457-5086-8f10-b678be153ba4", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:52c9060b-7b0b-58e3-a4ad-b05163a8f994", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:e3013d2d-eb12-5105-9eaf-29a1c708e2cf", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:77db6472-5270-53d2-a358-1bbbdd9b815b", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-r2dbc 5.3.39-tuxcare.9." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:74944077-8d22-592c-b6ea-06fb22c14c72", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:7c4df2a5-6725-5e5c-9bee-f56295b90cf3", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:099778ab-b7fe-5fa5-8bdf-a81b03a0eb07", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:d4dbda49-f520-542f-b770-fcacd7ef914f", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:7690506d-e6b9-5481-801e-d845dd93b8d0", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:396b0d98-f190-52f1-9b73-52a18b50e6ce", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:211c5d35-b6e2-5726-9b70-9ff4dbb2ac8d", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:2c45d415-eec2-577d-8b92-237721dee1e4", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:87bd0d25-c1ac-5b81-99ff-adb62605d7db", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:eb1ee683-d323-50c7-9a3e-149015be2a19", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:bbcf8546-f002-5397-8dae-c9dbb25a7f47", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:b9e37073-c5f4-5f4f-9c7c-864481ff5984", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:947d75f8-ffe5-5cfb-9d32-9a43458592df", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:2737da28-ed84-51d5-b566-579993e565d1", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:50a33d7f-6a96-5d14-9ede-d8e926044b93", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:63e7d4cf-1185-532d-9aa3-a987efbd54fd", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f0a2e07a-86f2-5c9c-b4d7-94c0023b4c1e", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:81c02aa2-407c-5637-ba8e-37e1cc016351", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:712db496-0297-5d3a-952a-286c5189600d", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:7ee218eb-1946-51fd-a22c-3e03d8cd6f4d", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:677f02a6-54c4-5c47-8f1c-ba3bd8705564", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:123a1f28-ea06-5b8a-9f40-eb9edfdf9191", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:309d1e46-5aef-59b4-9b7f-09c9bc7a69e3", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:06cbaba7-4caf-5c52-8cc9-1f7ce769f891", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:d92c28b9-a0ff-539d-9a18-3cdb4aee9f69", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.9 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39-tuxcare.9" } ] }