{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:7119e468-de48-5644-9eae-0ec4f1a58a0c", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring", "version": "5.3.27-tuxcare.4", "purl": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:0a6b58e9-58d4-5724-b2aa-9d711f59bbdf", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4d6de86e-6556-5bb5-b21b-258e34ba9ba6", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2e174591-fb4c-5077-989b-e574dce02419", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:505c75bf-2afb-5e3d-8480-e3fe9102a3e9", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e8d96ca2-5d82-5885-81d9-8f1a9a1088bb", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c6d93dd6-43e3-51e4-a705-c4433e9850c6", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1c248cac-a580-52d1-bce1-53d608e5ff66", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:56d03589-fa75-5cde-998f-c00e227f742e", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f630703f-ab71-5a0a-8976-d217882d446d", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:aad00f95-1d4c-5869-9247-fa699db14e67", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f4d65ef6-6561-54a0-b809-92e39d825a28", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:db117ac3-ade5-5372-9790-6b95bfa47d5e", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring 5.3.27-tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6f970501-ce55-58e2-865f-d54e018df847", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:3814c984-74b9-5fdc-a342-ef431045baf8", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5cd4c185-75c7-5862-92bc-827413ffdc61", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:611da871-4ddb-5fa1-836c-003b2d2d007f", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f77ccd64-7812-5a0c-b0a0-17db5ae363f4", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1faa5d51-ecb0-5dc0-b24c-734c5fd891c6", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a7f9eda7-252d-56d1-845c-a5f330e08e36", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:788cc87d-6607-57cf-ac63-2b49e1f17c34", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:00a78a19-56ba-50f0-b0df-5e9c1e9eb61e", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e215f4f4-7e5b-5754-aba6-c2b355e2248a", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4e23fe6b-d908-52ee-8e51-732f3a4b5793", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.27-tuxcare.4 of org.springframework:spring. already_fixed \u2014 The target repository (Spring Framework 5.3.27-tuxcare.5) already contains the fix for CVE-2026-41840. The vulnerability was previously addressed through backport commits for CVE-2026-22740, which applied the identical doOnDiscard cleanup logic to prevent resource exhaustion from multipart request processing." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b122e7f1-c47a-577f-9aae-b0947a27acc3", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b20d6a0f-b073-544e-8b6c-a1c0ea6dec91", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c275b509-c4f8-5aef-a96c-e4b05ae0c235", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:328c49b2-d6ce-5682-a5c2-91af5147dacb", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:efebbee9-7bbd-5887-ad2e-6c8282846d45", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9ada50e2-9f26-58af-aa84-687c829e171d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:eea4db06-b193-5425-a7d2-0897b6488d4f", "id": "CVE-2026-41847", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41847 does not affect version 5.3.27-tuxcare.4 of org.springframework:spring. already_fixed \u2014 The target repository (Spring Framework 5.3.27-tuxcare.5) already contains the fix for CVE-2026-41847. The upstream commit 07ba95739bf4451742e4ee6b4d4b2d0ee5f701bf is present in the current branch, and source code inspection confirms the vulnerability has been patched." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1e21ae31-dd40-5b87-b5e9-d1eeadec265f", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:27d14a72-b70f-5fd1-97e1-f0263e33146d", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:a8892ba8-2411-5b62-be06-f3e921ebf66d", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:420bd05e-ea6b-58d5-a5ef-34089f0509bc", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1980c006-8a9c-52af-8902-363c5001e8c8", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8d3b2fcc-290a-54e1-9e01-702db2c928a8", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c15e0aaf-e630-5d17-a9bd-d1c5b84371c0", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.27-tuxcare.4 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27-tuxcare.4" } ] }