{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c1ab7742-9edd-50c8-8139-0819063601b1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-webflux", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:6fa67a27-88e7-5a48-aa14-8ac2a9e6d58c", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:724dde15-161d-5073-a40f-819140c43fc0", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-webflux. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0584d5e6-be16-532b-a391-633d4c33d728", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e56336d1-d866-5576-acb0-393c43826338", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f7447fbb-5137-57a8-ab2b-d15808a759f8", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:fcd632de-cf3b-5456-8120-5a46ff1b12b2", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6dd9a79c-028d-55da-8dd7-9f2a1b271a89", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0e6fe2b6-32f6-5cf7-a2f2-47eb7ba41c28", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-webflux 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:57b74e86-c0c9-5007-ac3a-8eafa05fe617", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9716b4ae-f3f0-5270-88e3-a8d6aae3cf5a", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0569e5f8-3b0b-5e1d-85ba-677f46f0be98", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:dc2e776a-e411-54df-82d7-fb64bf0b4e62", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6a850409-98b9-5ada-bebb-41d8fb7cab6f", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:315cff1e-0237-551a-b3ab-dcef82c27f3f", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:dd183af1-44ba-54c6-95b6-c9dda8fc40cf", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:252786bd-aef1-588e-8ace-9cacef13a875", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:afc19afa-b8d8-5ca3-b617-b28902dff63a", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2a3bdb66-7266-5d58-9327-d5e6794e67e1", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0d03a02c-90c7-5d85-b243-79c03d9de867", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-webflux. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:36185db5-23b2-571b-ade3-0afa2ba5d5ea", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e80e75d3-0312-511c-bc43-8e87c9bb7644", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c51ef846-ec0b-5f9e-bf4e-57f91adc6cbd", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:48534df4-f2ea-55a9-9945-01b3aefd1e3a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:822a8abb-7cfe-5805-9642-fdecfa3ce591", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2418bb45-2b77-57de-a816-3b521f465a70", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:358c7044-1203-5a95-bb68-c63d40bb8719", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0bd15bfe-7d45-5c25-9b0f-9806aadb50da", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ddd32f11-aee4-500b-904c-9ce434b8df14", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:439f8b4d-9393-599d-a3fc-d380118edca5", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:20aa1900-b55d-5267-b024-c65c74a17cc3", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6238e080-8a56-5220-9b83-306d5ebfaf14", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d7186cb7-c646-5f96-99ab-9fa1f65e25fe", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:23e7fb96-65f1-59b3-bf72-17096ff1cce9", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webflux@5.3.39.tuxcare.6" } ] }