{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:bc03f5ca-5332-50c4-a8a7-c6f66bc838d6", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-r2dbc", "version": "6.1.20-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:c3598a41-f2e8-5529-9f41-f156c8664892", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:69eb2190-f965-58ae-8a10-4551a6a00eee", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:598aafb8-5906-5cc3-85c7-a2311f90b773", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9f8129fe-5bc0-5673-9123-f19772a81e41", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1d92c487-8159-5dab-ad6c-78ea7814c410", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:12fa9350-238c-5569-a6ad-13656bb654cc", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:212bc911-e8a1-5641-9d48-f7173d2ffce8", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6d831e95-1190-52b8-9248-3a55e3bc1f23", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8aa22d80-02ee-50b4-a546-3331855e936e", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a4d90d92-e313-5863-a566-e287fe8be91f", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:53f8aa8d-1a65-576f-b34d-d6a091e4c59d", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6bacc033-cdf2-5973-96ac-f07c99d0163d", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c9521399-f39a-5553-8ffa-da1fec547741", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:258cf663-af85-50ec-bbbc-406406f573c4", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bfc29b40-8c8f-5bd6-9ff7-2b41a6b5c5a0", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d9f84011-4eed-5099-aef0-501696b40bc2", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ac6a4192-8ecf-5515-a292-2ad95fac5313", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:436b6978-8551-52af-b4dc-8d61f97fc33f", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3405e94d-9a40-5088-8fc2-7b466d19736b", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ba321eb3-a619-5095-b148-552bc445a676", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a7a125ed-3ca1-5096-bcf2-19546d3e600c", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:602f4dbc-8250-5bb8-abc5-be7dc139d3cd", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5db866d0-e532-52d2-8ae7-124901dd7d4e", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:980e1aa2-d033-57f8-9890-08d1e47eb98f", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d3a110a9-ff03-5f8f-8d2a-0954e28469af", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.4 of org.springframework:spring-r2dbc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-r2dbc@6.1.20-tuxcare.4" } ] }