{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f25b50f7-a1d5-5cb3-b2bc-251d9eb76270", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-webmvc", "version": "6.1.20-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a0e637a0-69d2-5acd-add1-404675eeba24", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:76b9a277-11c4-5095-8042-4012d739fac8", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:94249476-5f67-5f36-bd41-0cbf906cff7f", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f1714a25-a41c-5ebf-a384-b4dff014cd19", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:01cadbb0-aa2d-5a85-8cab-c4bc095f69c9", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2e18fd8a-1c5d-510d-9371-3de3564f9d14", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4cd34019-d7aa-5f58-81d2-8e97a131fef0", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fe75d5bd-a1bf-5107-85c6-2fa227d6772c", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6f6ecbe3-eacb-5270-b193-9320aae73db8", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9d2f2c46-6308-56eb-ba5d-40cce134b5aa", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9ac902a6-cce9-553c-9110-f5170bbe2231", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1e72e7e6-c262-596d-9432-9e7499a6d1f3", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6ade2187-022d-5719-9d76-0bdf1079ff67", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:edcb7d93-6a48-5508-a6d6-90226c8cd85a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:04eabf33-2439-55d0-aa78-0707bc2cc6dd", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4fa73234-a2c3-57b1-8c6d-6ac745fd6ab5", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4e47e93b-759b-51d3-9d32-b0f23b68eca8", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0e966d36-3ca0-5573-8fd4-4615e7c48738", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:71540323-36d2-56be-9bd2-fad070af1d5e", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0cdd7bb0-0216-5030-af8d-bb3f5ec14f61", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fca2c936-2789-5fc5-b7c1-b4acdd128e3a", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:625dcdbe-38d0-59a1-aa2f-69f0b46d429c", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:112c7c25-64eb-55ec-aa8f-a9bb9884499a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f2480358-8b06-51aa-9ad5-06789003240f", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:151dd752-667b-5812-aa24-16498355da70", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.4 of org.springframework:spring-webmvc." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webmvc@6.1.20-tuxcare.4" } ] }