{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:758bd49f-169f-5185-8492-3dbcb19ed02d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13", "type": "library", "group": "org.springframework", "name": "spring-beans", "version": "5.3.39-tuxcare.13", "purl": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fc03923d-eb94-5fe1-947f-f3ec8d90f4a6", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:03bb2bd2-5014-5ec5-9d78-73798e4211a0", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.13 of org.springframework:spring-beans. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:1fc91637-8f2c-58c8-bb10-adf9cd7832cc", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:0463ce5d-ae98-5a42-b6a7-c9afcdc0170a", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:841b55b0-20f6-5edc-9f9e-121f1c51924d", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:bfa4c4c9-5baf-56a7-9980-862250b419f7", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:40fb222f-f9ae-5547-8735-aa32bbe86d4a", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:23846e5f-1784-5d0a-9e48-a42e9dd71e12", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-beans 5.3.39-tuxcare.13." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:cf308cc7-f535-5e54-ad15-0270cae4c4ee", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:0012a295-79c6-515d-b8d4-9395194a20b0", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:8a053735-72fc-521a-a8ab-5bbc60ea9c94", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:443baf10-af3c-5201-97d0-1ca0dcb9d488", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:0808bab2-6928-53e1-bc63-85956b4df7fd", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:3238305a-1a65-5942-9a6e-960e06af6653", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:71b87185-19a8-548b-85fe-cf7d836e0999", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:9af4bdcf-6ad9-5e9f-adef-5b7c7466c20d", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:f7578b99-3f3d-5208-a3bd-03337e3295bb", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:4d2a9462-477b-5aae-93ca-756260dc6180", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:dba08dac-6dbc-54f5-b55e-8eb200e1be6c", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.13 of org.springframework:spring-beans. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:4a36f115-c6d4-5ace-8e5f-8e0e62d79d66", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:f6c7f535-af29-51d5-ace5-44f13e1f0e6b", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:3448ace5-d8fb-52c0-b3d0-c50b52804330", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:b83fae11-dd48-5be1-8091-c05b821d5c9d", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:f040eaae-086c-5b54-a1fa-2d230e688b98", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:3bd193cf-697c-519d-879a-98d6a97d0ac6", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:6b34bbd0-80ca-54eb-b1e1-2512e4c8956a", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:26d2e7ce-c14e-5f62-a055-a5b656682b75", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:373c1b3f-474c-5193-adde-a5a7803dbdf8", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:15ef6af6-0ce9-57e6-98f7-e3e610ce19dc", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:fb807aba-32c1-50f3-bc9f-1592e839aaf1", "id": "CVE-2026-41851", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41851 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:2b97224f-64f5-591d-a45b-771ec2dcd09e", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:77c1b00b-6fea-5af5-87a4-82c757b639cc", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:cc647dd8-6f53-5663-bf40-51c7affc201a", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.13 of org.springframework:spring-beans." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-beans@5.3.39-tuxcare.13" } ] }