{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:7e7c3115-ebcb-52b2-b8e1-315de3cd3cef", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a5c1a53b-082e-576b-8f67-b80a74e94d5d", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4eab9ff1-7ac9-5e42-a30a-e21284259c8a", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-web. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b11b8295-d1ff-52d8-8da8-582ac58c9ab0", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:cad2519c-a1ce-58a1-a4f5-d0e4971a53fb", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:94340b6c-9282-50b1-93ad-a691c8548c43", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b35f49d1-2a0f-5272-a3c3-285e816d9106", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9e3e2cc8-c053-5303-8d3b-18792304123d", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:87591c21-08e1-51f8-bd85-fe496a4af7d8", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-web 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7783460e-3120-5704-834a-0ff53984852f", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9b3dd0a2-3ea6-5809-ae09-68fa86df1e64", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3e750d6e-b059-52c8-b1fd-669126e451c6", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a221f998-f9c3-55a9-9f0e-e58de005536a", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:502e9c96-cb80-5ef3-b79e-41e5cbb1a916", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2b8129d2-308b-58b7-a92a-5037623a47ac", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9ef96459-9d33-54d8-aaea-0b155eab8593", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f8524a1f-1266-544e-b598-26866e86d7b2", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e59f4d8e-2c74-5fcf-87aa-81fc99881534", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c4888eb8-67f6-5560-925a-ba3992dcb240", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a8417e33-d219-532a-ba40-986592bec2cd", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-web. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:100191fd-f4de-5f5c-941e-eb284a48a943", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:cba02cb0-c8e2-5c1e-8064-2ad02f38886f", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ace7edbe-3c4d-5d35-a944-38482c95516b", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7a7a0cc8-77f6-5d3f-bba0-86d1efa1e39a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f0f6c526-b408-5f2e-8014-6c0150262613", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:97314729-c54a-558e-a171-9767077c1c69", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e16c3fba-95dd-58cd-b459-a1be4c583dbe", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:61ac6f39-e102-5b3b-884f-adb63b4a4699", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:79eeeac6-11b6-514b-97b6-b1d2fbd50859", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0478fbf1-3a52-569f-9837-1cc5ad59a999", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d904d4ad-d9b7-5a60-b897-d468901f7eb6", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:153ff3f2-bdc9-5dc1-9559-ad345d87aee6", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c3e5dea8-90cc-5ec6-8305-56d4861ecb2f", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:91d0fedd-37f0-5dc5-abec-bf7bf53058d8", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@5.3.39.tuxcare.6" } ] }