{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:96cf6922-6c0f-5a94-a9da-74311a6e03b1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10", "type": "library", "group": "org.springframework", "name": "spring-websocket", "version": "5.3.39-tuxcare.10", "purl": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:997782d5-2ef5-5127-8369-6e2d0dc5f1c2", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:7be91104-e795-5753-91fe-abca0301c69e", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.10 of org.springframework:spring-websocket. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:65e7e3b2-5e3b-50e8-86e1-bec03bfdfede", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:ed497c60-a7d2-5206-9817-d8cc47ea37c2", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:6dacd359-7011-577f-b47d-236c15252401", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:00c0fb92-bcb6-5e11-8cfc-f93467191d20", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:8289de44-b096-54ac-9aa9-4eb09719275f", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:bf792930-5af5-518e-9be2-e4e17a82c93a", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-websocket 5.3.39-tuxcare.10." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:8be17cdb-a443-5331-9c48-25fbaf4c1a8b", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:99008237-f29b-5129-b284-781ca9ce1e98", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:0de4ed69-832c-578d-bbc8-a6d47c516ab7", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:7f1fe4a5-99da-535f-9514-4c2d70afd08a", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:3f5e426b-4835-5f20-be4a-45f2ae66046f", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:a6fa903e-70c9-5520-8af2-6d44b09a64a3", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:0476163c-f444-5d3b-a67d-325e208943f7", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:6f58b0e1-fd24-58c1-a1f6-40e87500865c", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:6500f67e-68b4-537c-b306-24633d15a8cc", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:4087d5da-7f70-5d79-a459-520ad0f00234", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:dba2b073-5b07-56a0-9ebd-4e149c4f0e50", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.10 of org.springframework:spring-websocket. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:840013dc-b0bc-5881-8236-22e6d645bee9", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:7d1df326-4b29-5518-aa64-88e910447d72", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:3e1b33f0-ccbe-5b03-97eb-d05cefce5db9", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:8c1436b0-5726-5681-8e26-91ab4cde2579", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:3dc463b5-c602-5ae9-b1b2-62cec9f1bacb", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:46d17cb3-f3b9-58f4-ab0e-51ba68ade9c6", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:ba37b6ab-c7cf-5803-8c5c-5183eb1c05ba", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:cfba6fef-3c9f-5ebb-b0e1-17726103607b", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:7801d0ee-3302-54e2-a321-23643d411c1b", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:10e8a791-41fc-5120-a075-e742a4e445aa", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:b89b05ab-0b54-596a-9c56-87de3d3ae965", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:042fd97b-2c87-52f7-a752-9f3ad18d8e81", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:5bdb3623-d36c-5a4f-8946-1a1667c0a1e3", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }, { "bom-ref": "urn:uuid:5a48fb7b-d755-55b6-ae37-ec096c4c7025", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.10 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39-tuxcare.10" } ] }