{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a7ad184e-6a35-5db6-aff9-183bdd03890a", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1", "type": "library", "group": "org.springframework", "name": "spring", "version": "5.3.27.tuxcare.1", "purl": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b727ec16-0d36-53e0-8fa5-e30c74fa44e6", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:f1d09df8-89a1-56c2-91d2-3b1783b86111", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:a672932d-8a33-53af-844c-e092cc81b425", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:78590c16-bce3-5930-9b14-276f053055c2", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:03541145-ba1d-52f9-83e5-494ab8770ba8", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6065cbae-2e3d-5e46-8d7b-f3a2fcd8a47a", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:535bc034-6219-51a3-843e-8375f7a3fc70", "id": "CVE-2024-38816", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38816 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:97a02782-29d5-522b-b3b6-5646c773a38c", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:4a38bea1-ed42-5179-b66a-d0f33a6a3879", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:6e3cf1d0-860d-5c78-8c8d-e0d0890afde9", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:fd139ba7-5643-5754-b142-e99f985c9738", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b0b868d1-557b-5a9e-a7c5-fda674773c7b", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring 5.3.27.tuxcare.1." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:da929344-a691-5330-bf45-cd125c629046", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8f7a151c-0b33-5a21-bb06-c88f4b83aa63", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:8f6db00d-f9c6-5b2d-83a3-ee19a6ce2221", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d07415dd-0a3a-53c7-ba60-eadae721a86b", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:28b8a272-c5f0-5809-a4da-77d3d1809894", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:15891303-9ec4-5dbb-8634-9726a958e632", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cdfc882e-9bf1-52f5-a533-8b16113f3997", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:41c81c08-336a-5895-bc2b-84a9f35c0ae8", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:1d3467e1-134e-58db-b692-50aae57533d2", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b4916cc7-6b3a-59fd-b566-6b573b5c6087", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e8be5a15-6d5c-5897-82ef-bd5a6aa7db8b", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.27.tuxcare.1 of org.springframework:spring. already_fixed \u2014 The target repository (Spring Framework 5.3.27-tuxcare.5) already contains the fix for CVE-2026-41840. The vulnerability was previously addressed through backport commits for CVE-2026-22740, which applied the identical doOnDiscard cleanup logic to prevent resource exhaustion from multipart request processing." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:07ab9d4d-5d36-5917-915b-544528a9ee51", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:3573c5c1-7f56-5f6b-8bf0-6dcd96919e18", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c5c02dc9-bf64-50f6-af0e-d4b66e36a1d3", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:0ee14857-be11-5c69-9e7c-f40442019dc4", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:bf9509ce-6f77-5481-a272-8509df2a48ca", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:d4f65507-ae66-5459-a205-7f91de760719", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b26355d5-0c93-528c-8d5b-90dda539bc6c", "id": "CVE-2026-41847", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41847 does not affect version 5.3.27.tuxcare.1 of org.springframework:spring. already_fixed \u2014 The target repository (Spring Framework 5.3.27-tuxcare.5) already contains the fix for CVE-2026-41847. The upstream commit 07ba95739bf4451742e4ee6b4d4b2d0ee5f701bf is present in the current branch, and source code inspection confirms the vulnerability has been patched." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:94c28f8f-bd65-5ea3-98ac-cc4cb0f9e628", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:b96f6559-f5b8-5459-878f-4f02adb53e05", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:7131af09-7de2-53d1-980b-82693ec6af24", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:cccc9cd9-04cd-5275-a840-44aa351067b0", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e926113a-7f05-5438-b498-8008a053108f", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:e7a7de5a-f441-5f43-9935-f85be6139074", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }, { "bom-ref": "urn:uuid:c34f997f-5a4a-5b19-aae9-b907e5de81bc", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.27.tuxcare.1 of org.springframework:spring." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring@5.3.27.tuxcare.1" } ] }