{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:05f949b5-17d9-5ac4-9241-36b6888b5827", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring-webflux", "version": "5.3.27.tuxcare.1", "purl": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b68180f1-db8f-557b-bc17-55e5bd56165a", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9c1427e3-b1aa-5131-8c97-831b49a3efe4", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f6f6112f-aa76-551c-9889-3bc932a9f771", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:24691ecd-9f3e-59e6-9985-2696ca462fd0", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1ce78103-57cb-5804-af17-b54ddbc9315b", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:21f81bc5-047a-5d6e-a17b-621edf934048", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0e6ab264-ee60-559d-8917-9bef14eb5a77", "id": "CVE-2024-38816", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38816 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6a2cfc0e-8fa8-5bc5-8b44-d4e1d7b32377", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d8744d1f-c14d-5028-98cd-3caa0bb8544a", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:296e9c32-9f8a-5cf2-bdc0-7027b1e12023", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:411a8520-d3fd-525f-84cf-b6a939a8aa60", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6778abfe-5dfe-5178-9b98-0d3ec0372570", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-webflux 5.3.27.tuxcare.1." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:12da8095-0a61-5ebc-b464-ad62b7b32f80", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:462c498d-a26c-5b95-8861-8fac281d1733", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f3364ee2-a413-5cda-9426-09fe3a5b136e", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:51017966-2cea-510b-9869-1bdfb14b0ba6", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f2b6860a-d507-5bbf-9247-177d3d9ed37a", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4ddac921-4f6d-5677-8561-2c940003610e", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:ef4f7b65-57e4-526e-b13f-36cf471fba26", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:461f26eb-ed5e-5921-b72f-f2240d133be6", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2f1e4f93-e5f1-582a-9e1e-ccad0c3ca988", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6f41d924-b014-524a-8971-b1f6c9326e96", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d5f6936d-f171-5653-958a-386cf5f69278", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.27.tuxcare.1 of org.springframework:spring-webflux. already_fixed \u2014 The target repository (Spring Framework 5.3.27-tuxcare.5) already contains the fix for CVE-2026-41840. The vulnerability was previously addressed through backport commits for CVE-2026-22740, which applied the identical doOnDiscard cleanup logic to prevent resource exhaustion from multipart request processing." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9da8daaf-0c1b-592c-8bdf-40b4d200bab7", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7792bf00-8717-5416-adad-8201e1b1b60a", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:2c39b6a2-3b91-5575-bb64-a66afb095284", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3ecbf218-bc2d-51ef-92c8-21e0a63aab88", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b79dd661-4f34-51db-970f-e5f1f0d0e361", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:9af67cb9-df7f-5321-b4d7-16143f875b2d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6c62dfe5-b08e-5de2-87fa-8df744200b61", "id": "CVE-2026-41847", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41847 does not affect version 5.3.27.tuxcare.1 of org.springframework:spring-webflux. already_fixed \u2014 The target repository (Spring Framework 5.3.27-tuxcare.5) already contains the fix for CVE-2026-41847. The upstream commit 07ba95739bf4451742e4ee6b4d4b2d0ee5f701bf is present in the current branch, and source code inspection confirms the vulnerability has been patched." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e58a3968-82db-5704-8b3a-d83af53671c9", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1cb2209d-7656-5fbf-a253-5f68a9aa0df6", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:739cad28-42d2-5e24-9cf1-b59c748ba2dc", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:706b3145-0487-575e-ac8c-f9f7e608855e", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4d8fc3f3-de05-5868-a325-4a6fb0e95c2f", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6d37940d-6791-57c4-a0df-89d898cfdfc0", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1d94ce7a-f279-549e-8ff4-5f5b9287c9c4", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.27.tuxcare.1 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.27.tuxcare.1" } ] }