{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:ee241bb0-c054-5e56-be87-57e5a7c89889", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-webmvc", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:9ceefb0a-e1c4-58ae-8691-a7ef21495816", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:98b8bdd5-e8f2-585d-9066-10b99aae0f71", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c32dfaa3-d244-5c32-b3f8-ec97a1d0fbb8", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:24d4fd6b-3167-566f-9eb1-6190f7df6ac7", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0ddbc14a-486f-51c9-a858-01525dda7e97", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:aee52d1a-8a96-5f67-a3dc-32aeaffd6d5a", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8a270edc-c665-5bd7-b1d2-4b0698bcc234", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4bfa2775-d48c-54af-a96b-e37780156815", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-webmvc 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:dc000e3d-3f8e-5ae8-a9d8-059bf58a2b8c", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1d547313-e6bd-5750-a3b2-b29a6b451c09", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:23266ea0-bbbb-5d2e-aff2-65ce09955ed7", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c686de24-9573-597d-88c8-48ee63cf6d32", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:31a67abd-13e3-50ee-95f5-e7968deac2cb", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6acab20e-67b7-5a7f-bbb2-c73338472faa", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c2380211-1a64-5104-a9de-02c669607521", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7cfb55e4-9351-5684-b8f5-2b68f5657295", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8b9e4a2a-4409-57ba-a68a-f085147f13ec", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0d87b1fa-43cd-54aa-9c2f-34ba6d8b3d68", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f7a80ae8-9369-568e-a6e0-ea7ba19bfc71", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4c4728b9-0336-59e7-b062-89274b63ff43", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:fbb71895-6670-561c-aa3d-2e0a27c73dcb", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:33123281-e467-5158-af69-281c1be0ff66", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a8197d01-f4f5-562d-b1ed-516da94b9823", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:37428bb6-687f-5978-8518-6a098ede6026", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7061957c-4811-570d-90c9-6204adc7557f", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9ff3a202-4ec1-5276-8fe3-0fe21d317f82", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:39923b27-ae1d-5373-a3d5-88a12e45a401", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a2e6952f-5dad-5a08-b9e9-6ea6a97a0371", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:360b0921-5424-50da-8231-2418cd093b6a", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8cb91d43-7460-5ae8-94a2-29473ed5cc84", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:659061d7-883b-5716-96b7-dc8b639d9e06", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:fc8f2cc1-043d-5d56-82c1-768c0b4687e3", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2f1f4c62-2e69-5704-ab81-871eb009badf", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@5.3.39.tuxcare.6" } ] }