{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:360ecd56-6c5a-513a-bb0d-f7771f6c9532", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-webmvc", "version": "5.3.39.tuxcare.3", "purl": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:962cb87d-bce1-58fd-9f89-68d517236ae1", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7e6b1b9d-05e1-5b90-942d-29ab74f1b260", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:116993c6-cc03-5334-ae18-343da894c345", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:38d195ad-52d7-5048-8d97-698badd259ef", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2af6219c-e2ac-5348-b82e-535f679290e4", "id": "CVE-2024-38820", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38820 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cdc0ecda-3a85-5c34-8650-371be3b3a51c", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:564c27ec-9107-5a69-b7bd-821d6ec499dc", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ea3f1b7d-cea0-5965-9d2a-1c18ed86f299", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-webmvc 5.3.39.tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f36f2ce5-ddca-57ff-83a7-6feb3d822a2b", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c0165043-2177-5d2e-bf60-04da9c4a96ba", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c1f7acc3-3d89-56c3-bbac-63b95ea74928", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2a04ebb3-dc92-5e59-b728-6e38a5355bb1", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d022673a-7688-59e2-a08f-087bcf473bb1", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0700e96d-3b44-58a4-82c3-078e4b288116", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:86624d05-02f5-585d-b0f8-eda9854fdb5b", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7f930aee-7976-5610-afb2-008d36ebd443", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b9908c51-7e85-5479-ad38-657e487baee3", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1846d409-aafe-516e-a295-ae5c07106248", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:81b56ce8-4d75-54d6-902d-19d2b2176885", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d1927aff-6492-5614-a189-4311f96cca67", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:983cd25a-4fdc-5638-bb45-191df4e0ef9c", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a1f9de47-0b44-5b17-b16b-ff0f1894cfa4", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b0906e7f-35d2-50c3-abf6-729f2898772a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ff77c28a-914c-55af-b0b3-52f67c8aef4b", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:22bfae9f-fbdf-5b8e-80b3-96e0e793f386", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:44594e59-808e-50f9-96c6-734e3530d253", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:63d7983e-c6fc-5a63-891e-890ed6e7113b", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2e3f47c1-f0c3-5129-97ae-fc6c1168608e", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:eb18727a-b554-5088-8ffe-9bfbcd01d929", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c35fca21-75e5-57fd-8bc4-fe4c0d8b171f", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8cbb1621-cedd-5429-b812-a2518c12e019", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:6d67d46e-e240-5461-a0af-4fa7a7c59f64", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }, { "bom-ref": "urn:uuid:cb990e25-97e2-5e86-b5f7-6f1952ede087", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.3 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.3" } ] }