{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:4847bd2f-dcf2-5233-bc9d-986cd1c14bf7", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-websocket", "version": "6.1.20-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ad781c47-1372-59e2-9e5e-f7ec13582e8c", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3392c237-f46f-5ec8-8dff-aa18480d2be3", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c4fc0a69-358a-5786-92e8-056eca44c80c", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:245bb953-a6aa-50ca-96cc-9f054fd97018", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4d469149-9ea9-5a2e-99b3-1cd7c1a90889", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5bc8e4fb-38aa-5905-9fb5-b39b42f04bd8", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3ff5ca7c-cfe2-5ec4-af5f-7b35ea3c77dd", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b7e97f18-4036-5754-81ae-67800ec59243", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:46f4ec80-a58a-5d2c-adb0-811993c1db10", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:07cfc641-e47e-5702-9650-1274c082c471", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:86ffe431-f2b4-5b29-b987-9808a9ff6172", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2d3b7eea-2ddc-50bf-bc9e-d6d5e63046f7", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0dee99a9-333e-5031-99b5-527c236d9ac2", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.4 of org.springframework:spring-websocket. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:61b549fe-0447-5022-a1dc-fdf1f9517089", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8c5864f9-a0ae-5b1b-8e4f-e77354ec3689", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7cd8f46c-2fb3-51ba-9205-d5b8b6a8f7be", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f1bf8f69-e9a2-5349-a041-d408e6de844a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e10c3417-9518-58ea-9b7e-750d118dd5da", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:80dc850e-cd7c-5e0e-8992-7f85f779cf12", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8049d6d3-df74-535e-9169-be4d5548dbd4", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:85ca8148-cd98-5d82-a450-8b32963995a7", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b509cc2b-19ba-524c-8e9e-d1756f3e3a18", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0e475006-b112-5603-963c-e054b89f153a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f270eab4-59f6-5e17-9aa8-c579a9c6594e", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b41c24ef-0137-5196-8b60-f7458b148aee", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.4 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.4" } ] }