{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:8f2308ea-91db-5abc-a1b6-d920bdb493d1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-r2dbc", "version": "5.3.39.tuxcare.4", "purl": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:9f8da57f-d729-533b-b6c7-abd2d08073b1", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:30831830-eff6-58f4-9981-66603c13a754", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0d8f67d6-1145-5685-b894-0df3f1f45fcd", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d9569939-2a85-5052-81fd-8ae5e4606c1b", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dba0fb98-9689-50ae-af91-4d8a0e5ccee2", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8d2396ae-cdf9-542c-a9a4-392760b4d0fc", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f45ff6fc-9ea4-5027-bd8e-7f0607443dea", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1a7818bd-387e-5321-a5b0-b321b2a834be", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-r2dbc 5.3.39.tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e34007e5-c31d-532c-86da-2a2307d9f52f", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:29298aa8-1344-5fb0-9000-1075904e194e", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f21b62b3-ca95-5ef5-85ea-a107d48a3b23", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:78a4e09d-3007-56c9-920c-af46fd902b68", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:09076713-8ea7-5085-8cc6-a60d9f87d244", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2c198f53-6416-5379-a9e6-9c71cf723205", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e6477081-d921-58c0-b71a-5104acb39d4f", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:265cca1f-40b0-5c60-922a-060080f9e901", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f367340e-7225-5831-98a0-3f9f079c39ca", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:804661e2-70e8-55ce-9537-e1e193e0ab61", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3d3c798d-b3d3-50db-aa9f-a5dd1a2ccea4", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1f651701-fcd9-5e28-8797-0fff76ec3e89", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:582b2fc5-14db-5701-8f00-28b7c3f45c35", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1e66fded-43ee-5418-b09d-355041fa57e6", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:187db652-a0bc-5de6-be5e-7a7115c5ab47", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:830e8aff-e98e-5521-b744-477b89b717f1", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f37f3cbc-29aa-5eaf-9c34-8284dcfaac8d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c35bbe71-fb6b-590e-9059-d89e4906fcf2", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e2b89255-a488-51d1-90c3-2b91d172039a", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d6eb0cb2-8895-53f9-9a83-d7f1838328f6", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:51be7c31-6219-5995-b466-a6b94a7bf66a", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6d139ab8-e96d-523b-85ff-50ec5052f5a5", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d2386103-ffc4-53e5-960e-a386fcc1f159", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2e8e33cb-5da5-5f5f-9f13-e7399a837854", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cbaa666c-8889-53cd-af52-b18cb2cf1121", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.4" } ] }