{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:b5bb64ae-42c4-5eec-bbbc-a7fa33e54b09", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-webflux", "version": "6.1.20-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fb435b91-099f-59e3-aef9-3440fa584025", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1ea6bcc8-cc0b-5054-a27f-811b68759281", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:879f7962-e7e8-51cf-a7ee-dab6de8e8a26", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:65c5f0f8-ed66-5b67-8495-e49a4b6ae608", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1d97d2fe-be0e-5343-99fe-70dc70aec0e8", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:27868b9b-7d74-5e99-9a60-14974d2e46fc", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:414645a5-f792-5c4a-823f-2e6181aaed5f", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b6e3c5d3-0dae-5b6f-83e2-a8aaea782024", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3dd4422d-e829-51b5-819d-88731502acad", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:50dd2240-54df-52cd-a100-529d6c71a293", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:50f56c11-2280-515c-8c30-28e9b9d892ee", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:09f9ec68-855f-52c7-bd7a-34366c740f87", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:17ebfea9-f7bf-5329-b499-c7b929cdbaa8", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.4 of org.springframework:spring-webflux. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bd86eccd-68ec-5c3b-bd12-49eec5452d1a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:aa0c6acd-4b4b-55bd-8c81-b26701900e46", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:08fba87f-714b-5d98-bcbc-8483b64c9191", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ceb181a3-1482-5ba7-8c94-5167390d1091", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3461a25c-e37b-537b-9f13-628ffc1fdbf9", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:386d58db-593e-57c5-a609-94b07ab43c38", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:da856dc3-042a-57d8-851b-d850a44ba9e4", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b4066231-4e95-5248-ab32-9c1f910dfd53", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2bfff791-ff25-5a4e-a989-3c73d2b8b9ce", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f91f55c4-681f-52d2-9252-d87850bd5cae", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1b97b238-a21c-5b6c-8224-f12bb901173a", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:afc0aa38-62d8-5b68-b801-8c280a4d59f4", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.4" } ] }