{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:966c20d4-07e0-52bc-9345-fb156817e735", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "5.3.39-tuxcare.11", "purl": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:1566e857-e916-5f8a-ab7c-e2006bd8d4bc", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:4c65f9bc-7ed1-5f5a-b8c5-694afb1fb90b", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.11 of org.springframework:spring-core. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:a12b144b-5a20-54c0-bf55-752f691037fb", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:3a6b7f49-9444-589f-8707-f0267508257a", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:f6bbc630-ae43-54ef-b54a-c2d1e54ef172", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:8a5a8758-a8a7-5c24-903d-91fe46db6543", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:c1855665-9381-595b-b7c6-14519114e63b", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:fdacd895-8983-5f0f-b208-2cf3fc32ee8e", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-core 5.3.39-tuxcare.11." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:027d2f4e-c83b-5484-883c-cb193e232a5b", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:dbfeb2b1-b6d0-53f8-a677-aec574a34ef8", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:6b3aea8c-c4e8-5666-82f9-6525e7356615", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:4fb80440-c1a9-50ad-8ea2-7814bddd444f", "id": "CVE-2026-22735", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22735 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:0d63ea0c-c4aa-5e4e-bfe5-cf6c358c19de", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:47c9e96c-b7f1-51c5-9db4-c20b44d4ee49", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:c4c31420-de46-5475-9852-7c7ce5290565", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:309ed9e4-d673-5599-951a-bd54e1886015", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:db601918-4ffc-578b-a371-89c390bc6290", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:5d7bb300-c84a-58b6-afaf-404c0e3d3cec", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:3bea4424-cfcf-5d40-a746-b544c7e883cc", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.11 of org.springframework:spring-core. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:82983540-c5ab-5392-850b-b0df4104bb4e", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:974f2124-477f-58b1-b7b8-fb0696f32f3b", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:e1b09eb7-d85b-5c64-bea7-e4e626867424", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:882ac451-39d2-5a18-baf6-0ddf31a5f7f1", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:b7c77767-8916-5483-b9c0-c4b70bc4b667", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:de82d5be-6a9e-520a-9863-806b16908b7e", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:e7711ff1-88fd-5c6c-b3dc-fbc5f8c16203", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:3db82818-3eab-53b5-8d1d-9a994b5284e5", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:681a8eaa-b75c-590d-a192-7893409cfd8f", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:7922eb1f-3a23-5582-a9ee-eff72499be03", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:1f14d9e5-b300-56e1-a7ce-6544dc19e96c", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:52cb6a5b-110a-586d-973a-59367710ea98", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:6b5ceb9f-2ca7-5a4c-aff6-003e1c9ee954", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }, { "bom-ref": "urn:uuid:e961b4d1-bcd1-5727-ac15-7d57c564d00b", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.11 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.11" } ] }