{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:dfffbac8-3e62-51d7-91ea-26fedfa5835f", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-webflux", "version": "5.3.39.tuxcare.4", "purl": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:6b0e9139-4284-503b-8ee9-4a14f4974d61", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c7b7ac92-b072-5cce-9827-c58df5e3ad2c", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-webflux. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9806eafb-f9c9-5cd1-91bb-c82f4730fa0b", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3b2071b3-6823-5f22-9773-9cc2afa5977c", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3405a743-373e-5dde-844c-43ce0320573d", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a13c4d86-d590-5928-8761-a3fc1c6b2a24", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:60379989-f1a5-59cf-9ae8-8e1b6fbfa991", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bfe27dc8-ad1b-59df-b18a-c792504e5151", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-webflux 5.3.39.tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:50eaf226-47e9-502b-98a7-c2df6f50dea9", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d8cca240-bb7e-578d-b4bc-1ca1e9429173", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:37d4e7b5-8aab-5679-9ddb-4ad6b59847ab", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cb51da09-8eaf-5b2f-81f5-69663d3f6509", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:811f969c-7fe1-5834-8142-98a8d600ff0a", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:42b9092e-decb-560a-ae71-11cb458b4c23", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5d533a2a-4ba3-5575-a1bb-4861197febcd", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:52e7c96b-27ba-5395-9b53-aa007de7f99c", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:18ac4ea2-2b15-5054-acf6-8b44d41d0c96", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:47e08ae7-a669-5628-b33b-c52a0b2b9ebd", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:83730552-d77d-56fe-94ec-febeee661d67", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.4 of org.springframework:spring-webflux. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ef593f21-f2d3-5f36-a0c7-3fc9c40df472", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5386a987-3b94-5083-a755-1bbfb46d7777", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c81ab12f-186d-5d21-8a13-aa4e0089b98f", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:35b51dd0-bece-5ff2-9da2-a7587c0fe317", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ea13c34a-6a91-579e-83ae-c9c1d9261b6b", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e41d4219-354f-571d-a5df-a2475c9fd6b0", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:52eaea20-2bf0-509a-9ada-774d3753ef12", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1106ca9c-8d54-572c-bd27-6d17f2fd82b5", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2ad91541-87fe-5bbb-a977-54b15eb62d88", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:051f838d-fcda-5d94-b381-7c0bc8f1d28b", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7c189fe3-9b15-5eb5-be1e-cc44cc80dc6c", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:68312d17-7e9d-5448-9743-0a76cfeb7e18", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a5f8b9bc-c728-5bea-a60e-8fd92a1252fb", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bb91880c-82e0-5442-a3ec-f496d97bd354", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.4" } ] }