{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:2f4aaf25-85ae-534d-94c4-43a975bdb72e", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10", "type": "library", "group": "org.springframework", "name": "spring-webmvc", "version": "5.3.39-tuxcare.10", "purl": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:85d29437-5aaf-53e2-8c42-72058dc6d407", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:f2095dbd-0c99-5684-9545-5309326b3ace", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:85700e1c-c0bd-562f-9443-ea2bba0a993f", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:3afdca42-d973-5e3e-8184-1d04e829bafa", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:6c338034-88eb-5066-a27e-05d79630244b", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:b2e5ed86-1609-58a0-aa95-2ef7e047d8ad", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:5b01735b-b6f3-5437-9f6a-8ffa76055d77", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:059cb9d0-5f51-5a63-a8e6-456c3d56cf78", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-webmvc 5.3.39-tuxcare.10." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:73e11b7b-2731-578c-8e9f-931844ff14f6", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:68709a9c-73f6-5e0c-9202-1fd5f285f2b9", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:dba8529a-07c6-5cb6-8b0f-274eac2614ad", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:c7823a56-8b62-5311-8316-5b5787d5339f", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:c8a36c5c-e1cc-5c5e-8ec7-0921f95596b4", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:b2396878-bc0f-50a5-9aa7-68dab3a1d29f", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:d5483768-8b5b-5b17-a841-04337fb46ea1", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:09a8384e-3cf4-5cca-a524-918073012e7d", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:68d404f5-e1c1-5641-a9f7-0686b049c7b7", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:9c74fef5-fa9d-5971-9420-e3427fcc5ea7", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:c559710c-bc5c-543a-81d4-25a1dc962bb8", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:2743a975-07b7-58b3-b449-a0dc10a64afd", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:fdf7663f-4e0f-5ec0-b254-f1b25b1e1f38", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:c939262b-a973-5596-8202-4d42029bb6d4", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:2575295c-296e-5933-b612-dc4202c48a5b", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:2710c70b-9dc2-5187-ad20-abf0b6a9499d", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:163f75d8-00e0-59cb-a9d4-829253dfb509", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:5c43334d-86fc-5b9f-916b-5148c9a628f0", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:f0ae5b7c-3bff-5306-9a4e-ef77f532e2ea", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:4f170b4a-6640-57b9-b418-1b4cefc7d6a8", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:0937e9ce-3c71-56b7-953c-5572263f8566", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:3236bef7-c6ff-5287-aab0-de0760ab5983", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:0b91c896-4367-5aa1-836f-72e44eb86106", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:d16a537f-5f02-5137-ba4c-d3cc2be673af", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:7a7d01ec-ec9d-54b7-ba69-713d951e9991", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.10 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39-tuxcare.10" } ] }