{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:aff886e6-03c8-586f-9b93-2bc80197a070", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3", "type": "library", "group": "org.springframework", "name": "spring-aop", "version": "3.1.1.RELEASE-tuxcare.3", "purl": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:b117879f-908f-509c-a991-b9ac7d6410be", "id": "CVE-2013-4152", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2013-4152 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:27d0b16d-5f5e-52bc-bf3d-a65a148793e7", "id": "CVE-2013-6429", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2013-6429 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1ea616db-e0a8-5ba6-922e-4e90cbfdd9ba", "id": "CVE-2013-6430", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2013-6430 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:534ae87e-d147-52d0-b6cb-857cfebee91a", "id": "CVE-2013-7315", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2013-7315 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1c0ed2a1-38aa-570f-9658-e007406ddad5", "id": "CVE-2014-0054", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2014-0054 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:457a479f-f33c-588d-9633-5f4c4303554e", "id": "CVE-2014-0225", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2014-0225 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:0a1eee0f-11d4-52c3-86d1-bbf4c790a471", "id": "CVE-2014-1904", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2014-1904 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dcaf0fb6-0fd9-57c8-ae90-869a4262b575", "id": "CVE-2014-3578", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2014-3578 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7a4436a2-4e0b-56e4-ad2f-08dcee4a1d03", "id": "CVE-2014-3625", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2014-3625 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8cfb26e6-ad1e-571b-9a30-9c6b5cb316e8", "id": "CVE-2015-3192", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2015-3192 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:112ee0a4-cc60-5a92-885b-d544f508558b", "id": "CVE-2015-5211", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2015-5211 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2a58eb0e-cfa7-5092-9e00-e363127e8550", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a332b444-0d91-526c-8e6e-187cf68654fa", "id": "CVE-2016-5007", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-5007 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9e87b9f6-4faa-538b-922d-ed42e6c8939a", "id": "CVE-2016-9878", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2016-9878 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3e3bb700-0444-588f-bbe0-3b54b95795eb", "id": "CVE-2018-11039", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-11039 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a02140f5-a392-563e-b335-3cecab9e3321", "id": "CVE-2018-11040", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2018-11040 is a false positive for org.springframework:spring-aop 3.1.1.RELEASE-tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:dd60f73a-0f4b-5789-9ab4-94efc4dabd54", "id": "CVE-2018-1257", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2018-1257 is a false positive for org.springframework:spring-aop 3.1.1.RELEASE-tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:85777051-1be6-53c7-8ea1-1d30bea3088b", "id": "CVE-2018-1270", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2018-1270 is a false positive for org.springframework:spring-aop 3.1.1.RELEASE-tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:812704df-d111-597a-bdb5-70009a59fd55", "id": "CVE-2018-1271", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1271 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a44866fa-8662-51a5-b9cf-31a65b9bd354", "id": "CVE-2018-1272", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2018-1272 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e88b9b3d-5f8e-5f7e-8a33-e9fcbcf77cd1", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:21125193-95ac-5add-8e5e-8568ad6154fa", "id": "CVE-2021-22060", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22060 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e3785032-fa4a-5ae8-85cb-e1728efba262", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:a374080f-4c5f-5d1a-bc73-19b900e3857b", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5819c2f9-eea3-583b-ae1e-0f960c19a91e", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:63549de5-fc37-50df-8a03-05ffc656f35f", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ef6e1364-02f3-5840-9ccb-0f6cc4f4eff3", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:f67d4c82-b80b-5386-ac1c-2a5ddd85ff20", "id": "CVE-2022-22970", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22970 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:4943b796-d24e-52f5-8944-3b3f45512baa", "id": "CVE-2023-20861", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20861 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e2188519-20c1-5b84-845f-a9a4314fe5c7", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b5566dcc-9879-5574-b4fa-84be3ea7c68e", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:d1d32713-849f-53fd-91a6-26025d6ef380", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3ca83c21-8302-58cd-9c2e-df59cc772a8b", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8e9f04ab-431b-58f1-876b-121d924188ea", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8b06fc71-5910-5ea3-9007-d32dce5e654b", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:18be93c1-d6ea-56e4-abcc-ce254c527c61", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5b2a1639-4423-55e3-b849-b9abb056f196", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:8c22af6b-fd4b-5af7-b32f-ccc67d9e9b2b", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:1b34544a-95da-55eb-bba1-6225b63d1040", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:2464dd09-894d-50cc-81a8-e28f4ac87860", "id": "CVE-2025-41242", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41242 is a false positive for org.springframework:spring-aop 3.1.1.RELEASE-tuxcare.3." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:00b0358f-cd91-5e64-9293-0317d040163b", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:5df5da84-cb39-5f8c-b7dc-ccafbcb632c6", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b00b86a3-55cd-55b9-be45-0ee7439033a6", "id": "CVE-2026-22740", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-22740 does not affect version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop. CVE-2026-22740 is a WebFlux-specific vulnerability (reactive multipart temp-file cleanup in org.springframework.http.codec.multipart.MultipartHttpMessageReader / PartGenerator). Spring Framework 3.1.1.RELEASE predates WebFlux entirely - the org.springframework.http.codec package does not exist in this version, and there is no reactive multipart code path. Per NVD, affected versions are 5.3.x, 6.1.x, 6.2.x, 7.0.x only; Spring 3.x is not in the affected range." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:7dbe988c-b408-5263-8da0-f2783d92ad4e", "id": "CVE-2026-41841", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41841 does not affect version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop. not_affected \u2014 Spring Framework 3.1.1 does not contain the vulnerable CachingResourceResolver class or any server-side caching mechanism for static resource resolution. The vulnerability (CVE-2026-41841) is specific to the caching resolver feature introduced in Spring 4.1.0, approximately 2-3 years after this version was released." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:9ec5a8bb-e28f-548a-832c-ee8848595797", "id": "CVE-2026-41842", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41842 does not affect version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop. not_affected \u2014 Spring Framework 3.1.1 is NOT affected by CVE-2026-41842. The vulnerability exists in content-based version strategies for static resource handling, a feature introduced in Spring Framework 4.1 (2014). Spring 3.1.1 (2011) predates this feature and contains no version removal logic in resource handling." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3de6aa3d-96b0-5a4d-aa11-8bd434583169", "id": "CVE-2026-41843", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41843 does not affect version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop. not_affected \u2014 Spring Framework 3.1.1.RELEASE is not affected by CVE-2026-41843. The vulnerability requires the content-based version strategy feature (VersionResourceResolver, AbstractVersionStrategy, etc.) which was introduced in Spring Framework 4.1+. This feature does not exist in version 3.1.1, making the attack chain impossible." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:c6264a1f-169e-54c7-a1a9-2d4ffd3e0f20", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:957deb9d-bc2e-5407-9d58-bffa3e2fa851", "id": "CVE-2026-41845", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41845 does not affect version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop. not_affected \u2014 Spring Framework 3.1.1.RELEASE (2012) predates the ECMAScript 6 specification (2015) that introduced template literal syntax. While the code lacks escaping for backtick (`) and dollar sign ($) characters in JavaScriptUtils.javaScriptEscape(), these unescaped characters cannot lead to arbitrary JavaScript code execution in the pre-ES6 JavaScript environment this version was designed for. The att..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:e5c2b6df-99d6-5128-b080-e97049f6058d", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:40cfc946-31e2-5d56-9145-73a93bfa4fab", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:ee45acc0-60a5-5e8d-9228-d781716257ee", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:16b232d8-69b3-567b-94ea-0ff75d3312c5", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b6a99a2b-7343-59c9-ace3-22ec4a32930a", "id": "CVE-2026-41851", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41851 does not affect version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop. not_affected \u2014 Spring Framework 3.1.1 is not affected by CVE-2026-41851. The vulnerability requires unbounded cache growth in SpEL regex pattern caching, but version 3.1.1 does not implement any pattern caching mechanism. Each regex pattern is compiled fresh on every evaluation. The pattern cache was introduced much later (in 2023 via CVE-2023-20861) as a performance optimization, and CVE-2026-41851 then iden..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:69df9321-afbe-556b-8521-c3c1f4039a92", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:3d86e787-df37-53c8-b2b4-b83e13da9c88", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop. not_affected \u2014 Spring Framework 3.1.1 is not affected by CVE-2026-41853. This version predates the affected version range (5.3.0+) and lacks the vulnerable components. Spring 3.1.1 does not implement custom multipart boundary parsing; it delegates all multipart parsing to external libraries (Apache Commons FileUpload or Servlet 3.0 Part API). The CVE specifically mentions 'Spring MVC and WebFlux' - WebFlux wa..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }, { "bom-ref": "urn:uuid:b89fa8d9-72e8-5ff8-baf6-02d1462df085", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 3.1.1.RELEASE-tuxcare.3 of org.springframework:spring-aop." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-aop@3.1.1.RELEASE-tuxcare.3" } ] }