{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:758cdd24-a878-5bf1-bfa8-3d84ab6999cb", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "5.3.39-tuxcare.8", "purl": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:dfa050e1-99da-58e4-b26c-8dc6dfa8fbb9", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:d75dda6b-ef65-543b-8a46-03f4864076cb", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-web. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:b21c073e-36dc-58ae-9d72-641e167fa5d6", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:1eb47a8e-f468-5ada-ac45-042a7fae1f34", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:7f5a0982-0fa4-5d0b-a4c2-8056c88e7ea1", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:35489b00-cead-546d-b934-bbc1e85121ac", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:8c7f1017-4616-53b6-ad34-62f8099761e9", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:e8274e19-8e06-526c-afd5-4bb8eaf17108", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-web 5.3.39-tuxcare.8." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:0dc4aad5-e5b1-5500-be85-095f31265bc9", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:0cca33ca-264c-5b65-a974-785afa0a118c", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:3bf899a5-9ba1-5813-8ec6-55dee50fefdb", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:42eb21c5-11ad-5c23-821b-c100e9c4856b", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:91c8b0e7-0c62-5b5c-9685-b844475b60d8", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:b9fc7e53-cc9a-5e4f-b919-a90587a06dad", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:f4e3c082-1cca-5b6b-9bdb-4981c983a90d", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:655f576e-ad65-540f-ae68-d72133fa8fba", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:34d706ac-3ab2-5f45-aaa1-77370200484e", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:dd8011fc-a8ec-5067-bdf8-82b51b1f10d0", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:555afef3-01cd-5434-b2a3-dceaf71c260a", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.8 of org.springframework:spring-web. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:aee96d4a-a540-5df0-b9c2-4c2d82d0d227", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:11b321c0-2dd1-53fc-9229-8382937c1b7d", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:8e018172-9e60-514b-bc81-58b37dfda6f3", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:815b4454-921f-5dc2-a9c4-bc2207555451", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:abe8d62c-e439-5513-b407-830b7c2edff7", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:625e01c0-8afd-5af0-92bb-7a756f79f47c", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:ba193751-6201-597d-8b56-5f6787a0364e", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:538f4ef2-534b-5eb6-bb14-8b1c7d061136", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:4c704bd1-65c6-54a6-baa6-4bda2f760b8f", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:849032c4-4ad1-50fb-8821-a2a92873bbf9", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:2fe368e8-cd0b-5b05-8633-0b126711ad83", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:72d1b23d-90fa-5c24-93ad-020769e92889", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:40377bcc-3200-57ea-80d2-5ab69ab07a41", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }, { "bom-ref": "urn:uuid:9e687283-3b78-52a9-83ef-e250f66e957a", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.8 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39-tuxcare.8" } ] }