{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:5022b7ec-5d3d-5090-9ca5-324947c34939", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "5.3.39-tuxcare.12", "purl": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:df445485-ca25-5504-a378-7fcf37cbe800", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:e77c1ff7-b160-581c-8ae8-665c4057ea3b", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.12 of org.springframework:spring-web. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:82f80cab-b9c9-58e8-9203-78a63d1d74b2", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:fce19c9a-a23d-5c9a-8d07-4818dcb37340", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:40e3059c-396a-5e33-9827-a15a7d74c941", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:7752d44f-f502-5e60-8b35-b6943c92b53b", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:059f970a-e808-55c7-b3c5-627c2ef2b5db", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:fc52f552-bee1-514d-b003-4a31915fc2ef", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-web 5.3.39-tuxcare.12." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:82eb34a9-2726-5e44-99ab-0026a64215f8", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:c16590eb-e436-5c33-b851-972b685a1c4b", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:19d56ec7-6626-50d4-8aed-8770da36b203", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:80c5612f-86d1-5499-9aa8-d7c134904ea2", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:c1eef766-44e0-5d13-8fb6-4f26396aea94", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:a8770609-5c08-5f9a-83c2-196e73a40e9d", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:f6ea21bc-4917-5b6b-8a35-8d187c17655b", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:c43c340c-3653-529f-a8d2-58ea2e2869de", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:80e46336-5bef-5035-962d-981f0c2510dc", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:faa06e69-5dc3-579e-ba48-f9b7d7fc0a7c", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:9e8cbfb4-75b6-5e43-987e-9137604e4682", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.12 of org.springframework:spring-web. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:226b2a87-0ab7-5bb7-bbd5-b1a6fa3ef9b8", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:de4e3d66-5388-5685-a645-5b49e7457170", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:ca2f1918-c394-5ccd-883d-6025d4d1d19b", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:9d9b0622-0e71-556e-806f-e1d06eae5242", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:bacc17aa-3b63-5d23-a75f-89aeeaab2a21", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:d0bbae24-be0c-5395-92a6-8638b6875199", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:ebf78cce-adb1-5b41-8b42-778001614050", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:91106f4e-022f-58cd-ad1d-c98e060c3c9c", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:b60e5976-021c-5ac9-9283-14ba527a9c5e", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:4d4d0027-423b-564c-b141-1b7d584816cf", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:103dd90d-abde-5ee0-ba46-c7df005f8bef", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:cf6909c3-bcec-5aeb-b7f5-90ba9ece5d72", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:50ee1b1d-b35f-57d6-a191-18bd049fa21d", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }, { "bom-ref": "urn:uuid:457cfce5-ef42-5815-abe1-7e1895174fda", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.12 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.12" } ] }