{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c689062d-d724-5aa2-bf26-646c09f90a27", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-websocket", "version": "5.3.39.tuxcare.6", "purl": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:5d426c43-1a28-523d-ba5f-818ba8d53634", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d06175a4-ce8f-5cf6-b417-b35dcf4c1781", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-websocket. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:779d256b-a43b-5b4a-bd75-245b0cbbbecb", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5106f207-d148-520a-98e0-51180094c0db", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9c93fbe2-48bf-59b9-b5ff-926430d2de91", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f44c3089-105a-5c6d-b0f4-0b17b48b48d7", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1def804f-37f8-51c2-af4c-ef2de8aca15a", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:741d4140-60bf-5a91-bbaa-41970fa599c9", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-websocket 5.3.39.tuxcare.6." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:18efbadf-2884-5249-8e91-5325709a81d2", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b5e1b380-dc2b-5f94-9377-bf54e5338746", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ac07362b-c372-554d-9842-f9adf03343a7", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:05124c79-bde2-5325-9405-4e547865764a", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:88f16d66-2cc7-5c89-8e73-d07cc18a6f34", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2e7f6018-47f2-5505-8709-992ee3a7cae3", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ca9e18ff-9d12-537a-a5c9-1de96e5d3c49", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:09107dfc-3564-521b-a123-9aa0fb76e0c1", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1adf7f0c-826b-5359-bcec-5240c68d8007", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4d66f971-2381-53cc-881f-e33e0cfbc31d", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c5365b4e-51a0-5764-8065-15d387f2ba07", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39.tuxcare.6 of org.springframework:spring-websocket. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a9ced96f-8335-51cf-8b54-fb943e883cd7", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:01c86115-c494-566b-aee4-4e856fc74e21", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:65a1f133-d8ce-5b2d-ba28-4531dab4f79a", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6b65252d-00e0-51fc-9056-10315eb21345", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f6166c23-04da-55a3-941a-d791087baf5c", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:bf9d7fe9-cb97-53d5-a83f-ed95145f91bd", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:477ff6e9-ad4b-5e38-97b0-bd696b55ee8f", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:6c8276eb-33c0-5f57-8555-6d8b50e6b9e1", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:997f228a-b32c-5f33-84ff-26a2dbb6a420", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a559d2ad-cdec-524e-ad58-e5dffb4868c2", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c96e3791-2a55-5a94-9123-420730297d5a", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:abee7d57-57e0-5d3d-bab0-4b188006e1b5", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:51367a03-a956-5767-8242-744ac51ffc76", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d32dac56-b8fd-5e4c-96ef-97deabfb81a8", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39.tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-websocket@5.3.39.tuxcare.6" } ] }