{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:9992d99e-776e-5338-acba-3243e02bd6bd", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "6.1.20-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:2af0050b-e58f-5260-a633-d5fbfd314cd7", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:58b5ac0e-16bd-5563-9b36-d1ba236eaecb", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c5f3714b-4751-5e17-bc26-e15b60332288", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:83e13392-3fbd-5fa5-a2e3-1b094926d322", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4ac58d23-1eee-5ef1-8e95-3cb3e6242cf3", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c65f1cc9-e91b-5888-be46-c854c796c98c", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:be1219ea-ae3c-5b1e-9ae8-ba25df13086f", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7565c8fa-f2f3-5e63-ab61-b8337cee2a9a", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d240abff-feea-5fa6-b6ed-874cbcdec05e", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ec06e95b-06c0-58a1-ace5-a1c973fe3039", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c7e69cac-17e7-5207-89c1-ffbaec4be4e8", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e1f8ef2b-34ae-50a7-81a9-6ed5d4e37094", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3f1b2c58-6f33-5a37-9166-af15d3946aa0", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.4 of org.springframework:spring-web. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ab8ff92f-1b2d-50a6-b841-704aa4ea17ca", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1b1df16f-d917-50f3-add4-9caab7c8f99b", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b1551349-effe-5e5c-959b-601241f0a3ea", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5175714d-dc3b-5143-b5e7-defab9c14b53", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f8f4cd4e-9c69-5e0a-a597-4bb96fd15675", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:843f4eff-72f5-5278-a8b1-2563c4856edc", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:59e6c4b9-8acb-5b35-b789-0df790e8f8c6", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:481d321e-fae1-558d-8cf2-2f898e76f5ca", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c009acef-c03d-57e6-bc08-5d5788500a83", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1d8b4d7a-2e04-582d-bec8-41a2a8bfde2a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7e35f365-05a7-53ea-bc53-c788f0e2aa87", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7400878f-b799-5e06-a6a5-1d694274663d", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.4 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.4" } ] }