{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:6ada826b-64f5-5320-87f0-80d130305fb9", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-r2dbc", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c2ccc6ce-ebc2-5459-be10-cb7b6414f89a", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:381bef2f-a7cd-5729-9dfe-95bf040745cd", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7b7bf760-8969-5001-9e6b-98e9027c20ad", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ace6ebb2-1180-5e13-8e46-344d831c844a", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e2294c25-38be-5418-86fb-b04a1b2e1d53", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6a055559-fa08-5e6f-b860-5f0e235762a4", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:992a6b1f-9517-5756-87a8-97db1f4ed278", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a874ddf5-2e21-5d10-a442-ddde8092e533", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-r2dbc 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8260ea02-5693-5942-85a0-6f719b8dcbaa", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9e62bc51-eea1-52dd-be1f-66a2e50edfd2", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:078e0e35-8449-5df4-b3d6-040b3b2ecb6f", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:77e9b950-933f-5f26-8ab9-07a3ceb62ffb", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4347717e-fc2d-52f5-8277-cf0a8f204203", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:875c9dbd-4709-5164-abce-0910aa460e19", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d0f59898-53fa-5d27-a2e9-fd4672fcf0ba", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:19fa2b5b-4961-5060-aea0-2516c89bfbd1", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:87affda6-e9fb-5fd9-907f-ff6004ad3f4e", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:55be98b8-96eb-5764-b3aa-0d26311fe127", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1dde0771-e657-535c-8b95-ff0d58e34ea5", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:30f80c28-1d11-5585-90df-0a66707f2b29", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c1bf255d-15c3-5f01-8aa1-224a5f345191", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3f3b2846-3976-5e19-878f-b1cbbc1e94e3", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9ae969e1-ba8a-5b02-a1a9-b83209ae8feb", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2e0836b0-c1b5-5c69-9977-1f5522dd0b33", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:895d5731-f864-5410-86f8-a50aee8e5bb2", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:85036e3a-3d51-530d-b3cd-43bf8a25a240", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6f10a44f-5f77-51b3-8eff-76bacfa8eecb", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:867496b6-0030-5ae4-b904-5ca87817f1fa", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8897a1c6-3d36-5d07-92c5-2df108d6b529", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b12e2117-dbc2-5bc0-b5ac-b87efe715e5b", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:204fdff3-f77e-552d-8c9a-d4bd3472bbf0", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:64f7c241-0ac0-5be6-877c-75fff3f1c0a5", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:70fa1acc-5adc-5959-a56e-dc44cae533c7", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@5.3.39.tuxcare.6" } ] }