{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:bfcdc920-7a8f-5e03-8b44-03959e660324", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9", "type": "library", "group": "org.springframework", "name": "spring-tx", "version": "5.3.39-tuxcare.9", "purl": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:83762c88-7eb2-57e3-a2f8-5057963d9504", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:08126098-335c-5b69-966f-656c1e4b365b", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-tx. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:6c84db02-7e36-5ac3-9b00-01b316b37282", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:b9a24419-8517-5740-b2a1-c483eb4ebf0d", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:333ac558-75f7-54d5-a87d-4731e691491a", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:73f54456-4692-5a1b-9e4f-394682f84f82", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:7372b0c1-e644-5057-bfca-b045a178d61e", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:dc9d9ac8-85d9-5b7b-ba94-787b095fa4d9", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-tx 5.3.39-tuxcare.9." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:a5a46451-4ad6-5f04-aa05-fb2e1ad16a5a", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:8d90ee73-a775-599e-8d75-7a63f9242633", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:c6637d0f-c660-5675-a134-3d0699234a2d", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:d5ea8a61-784c-5705-a4b9-d89963474322", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:a6f51a22-0fd5-5630-9768-909e94692bc5", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:6008f7cd-0feb-5cfa-ab1d-824d950884fe", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:3070e468-d7a5-5320-9d7e-a9b9595fef0f", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:873967ca-5655-593c-bed8-d58540fc223d", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:10d0b530-d5eb-54c0-912c-aad048e23599", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:d79d6e42-59b1-5e46-b86e-f908bc947520", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:c41cb4b2-ac94-502d-a253-f69f0a2f843d", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-tx. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:fbcb459f-2c2d-5373-a108-546c23a9f07a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f61204da-4f0a-56af-b3de-24c155c406d8", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:c8eb0a0a-4ef1-5e1f-91ed-01bcb11cc55e", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:360e50af-2ba2-5d0f-8bb9-9864797c4667", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:e5d5dea3-6a0d-52b7-97f9-25a75d777598", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:854b5d65-62db-58dc-89ed-3c5e2ca9690c", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:8f565de7-ab43-5388-8638-e5a8c6a4de11", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:2312136f-f030-5872-9567-de8485856d3c", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:ceb21018-a7b9-5242-9fdb-f27b85af333c", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:abf56d0a-2f36-57c5-9a9f-088c62ffe2b3", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:25e11b89-c5d0-55b3-975e-2be8c0152a3f", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:9aed0022-8232-505c-aa05-0f422f991175", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:978e72d7-f17b-52cd-8651-51262b5c80c3", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:bc6578d2-8b23-53c3-a398-3345228004ab", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.9 of org.springframework:spring-tx." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-tx@5.3.39-tuxcare.9" } ] }