{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c3ec9308-4d4b-57cf-9157-dfe6b60921dc", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9", "type": "library", "group": "org.springframework", "name": "spring-webflux", "version": "5.3.39-tuxcare.9", "purl": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:75f598b3-289b-5bc0-8cdd-58cf800bed2c", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:cb4d6a05-7e53-50be-8286-bf4877f5fddb", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-webflux. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:3ab0f5f5-de29-514f-b3f4-2c46a2becd1b", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:77123eca-c265-5784-ad7e-b87905da280e", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:07e2b34e-6640-5756-8149-ada767bde357", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:c5509140-b0e8-50c8-8ddd-156e548fae99", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:fa0d6198-d3b3-58af-b711-17259cd09e03", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:a4d060aa-bd41-57f1-8840-5531f2f6704f", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-webflux 5.3.39-tuxcare.9." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:158ff6e0-60d1-5646-af33-424ec6baa978", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:8226d3af-6d1e-55fc-9f8b-ffce4ca6866e", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f4a424bf-d29a-5d90-b8a9-96bdbbcc3e26", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f9c6f274-7a81-534d-96af-6bed2dcc9a69", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:3b8279c3-99d3-507e-b48d-146c0eb81907", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:42ab36a7-f5c8-568b-83dc-daab4e06712a", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:ba4148af-829c-5cdf-95be-e18d4c254eba", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:159da184-f897-54fc-8ee0-c8472bcc0817", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f04f6639-a3cf-52cd-b0ba-5c05b3ea7da8", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:26c1757a-d481-530b-9645-5df95687125e", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:a3862ab1-3f8a-5905-bcbf-86e7f0b0ab21", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.9 of org.springframework:spring-webflux. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:234164b1-cf25-5d40-9188-54b47d3e634b", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:2653fadb-da25-5ade-b6c3-f26974bd3792", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:3e314ebe-72c5-5b1c-ab6b-26a1026ccfe8", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:71dc1627-90ba-5826-958d-fb5c1e23e600", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:e88b8f79-b9c0-52f3-939a-29bb4ab29599", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:5aac1a4a-9b2a-52f0-b707-13f52caecbf4", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:c94698bf-a3d2-5edb-a7c9-a29181123839", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:d7a320d9-02e6-5953-8a30-17f6460bd994", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:568ef892-bdc4-5ded-afa0-945b654de783", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:2106c764-1c2f-5533-a148-f63fdf7ffdce", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:7209f345-273b-5803-beee-3137cba50eba", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:e65599f0-1026-54dc-b3e3-a245060c991d", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:f5e48881-19f5-5884-ab4a-2f8ef86ff581", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }, { "bom-ref": "urn:uuid:dc17b433-7b40-59f5-9748-39c5a3128a3d", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.9 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39-tuxcare.9" } ] }