{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f82dde60-db18-5172-a1bb-136b4951ff20", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "5.3.39.tuxcare.3", "purl": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:357784a0-1447-54c0-a58a-fdfc4385301b", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ea814497-c8df-5c29-991b-88a08c83dce7", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-web. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0cef86c6-d8e9-5379-a109-31496e760a29", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a393fecb-9f8d-5b69-9c15-0bac9a611999", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dcc800cb-4889-52ce-9c5a-2af3ff99371d", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ee6dcb47-513e-5e76-a612-64f469a16bc3", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:847e1bd7-07d7-54bc-aad1-9102d5314f32", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:94f281dc-f6c5-51ca-8a40-0f102a41e909", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-web 5.3.39.tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:21d0c944-1997-5802-9720-0a508bc4c431", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:41a485fd-0cec-52f3-b5ba-a7ae5954fedf", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:fcb0396b-6649-5d83-bb5a-fd9812c8dcca", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c5a1493b-5b3a-5b29-bf9a-4d06b90eef60", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:871e5aef-b40b-59e0-b612-603ab2c1f18a", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9dc2348e-ce38-5f53-9119-7aaa311eee25", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2b33d4e2-0dec-5b5c-ad13-0c1d30c80919", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b74387cf-45a5-5c22-a5c0-4b2caafb72e1", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2cc26ff4-2f67-5d98-addb-167929250a77", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:24be018f-34ae-5dbc-af13-879653150be0", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b6d1e258-c572-5993-b7a0-ea5b7fbdd6a0", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-web. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:43cb70f5-ddd6-598c-8b81-fba329147657", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5de1d2f7-6769-5e08-95e4-5767e60356f2", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f979edcc-6151-5b48-96f6-aa6e548d7e9d", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4f61fc65-d2fd-5838-930f-45d3600ee020", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8fff82aa-47c3-57cc-bfcc-35b1113dbadf", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e9388871-0d78-5ade-be8f-cf1e42e99a1b", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:240780c2-85d9-5d73-b360-786aa39a3585", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:03aaa4c4-19aa-5678-91e8-ff27f1bd026c", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2e05944d-1774-58fb-946b-86bca0a45b0b", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:96b906bf-b298-5a50-9628-94601888ce53", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3b12a571-2b69-51f4-b9ba-176025586240", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5be6654d-cc1a-5c7a-8988-79554a713369", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:bbb7ae0c-0d7d-5889-8767-5211ef085dbb", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0d5f6dce-f6b4-5a84-8bfe-13005eeebf48", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.3 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.3" } ] }