{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:ea624ffa-ce27-5ec1-8fdf-ad38fc149b0a", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "5.3.39.tuxcare.4", "purl": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d66e3f63-5aec-5757-a9e3-2c54830608c9", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:845d301a-4b14-52c2-8118-b1fdffac0cbc", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-web. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ce4a09b5-a57b-5a5f-bde4-a68431f7dec6", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1f98fb6f-b521-5dc3-8da3-4ecd4370cafd", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:55e7bd45-b815-5bc7-a0a1-097943ac17ad", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:365f30d7-a5e6-5bab-a731-e65c0dcfaf36", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:211c249d-842b-55ff-9778-bef2264edaad", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:aa848fec-0532-5689-84cf-e215ee30066f", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-web 5.3.39.tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:92a9d3b1-bdac-5500-9be7-a79ce019c17d", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b0e59286-a721-5ce1-97a4-8018f86f1905", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cce12e54-fb96-5820-92a2-5de25c34aabe", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:aa65f0b7-965f-5a71-9f20-900763b2a537", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bbc6dc81-be36-542f-885c-a3a8557a679e", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6fee24e7-b8e9-5a9d-bfd7-dd197fa01119", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3ffe468a-63fa-5ece-a49f-3f5fb7f82c88", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:62156e59-c180-59e8-89d2-765a7cfab2f1", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0c9ebcc6-5945-5c29-9a5b-f63c19409a86", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:06f65553-ea52-5410-be6f-a89efa86a3a4", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5ebf5aba-4629-508a-b371-6e3acd0f3869", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-web. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9692fa5c-3376-5329-b43e-b755658a25c1", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3608da61-e3fb-5984-8732-c3907bfe4c01", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f5f4efbf-a83c-5514-be77-2d463999ff37", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:952edf0b-cbe9-596e-b0e3-bc948de01618", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:42766689-9792-56d2-a4b8-9bc21ecf9eaf", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:11bc03f7-2b9a-5c1b-b3a7-0155eba90d84", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:45d718aa-a427-551d-b305-65a9bc9d9c50", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3c997e55-3c74-5555-a3ce-0fb7e761c6ab", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f98d55e1-94f1-5a9b-9b8a-9618e4021b19", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dc878731-8c79-5029-8a51-557f0bf8e945", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a50a005b-69db-5c3e-a03f-3f14b2989f1b", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9595a546-b7c6-5324-9911-df9ba7c6ccc4", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5ade16cc-8015-5fc9-9d9a-012ef17de124", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:25bb7cd8-e9f8-5971-b1b8-e8443da4be58", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.4" } ] }