{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:884bfcb1-5f43-5bac-b74d-817e46fe6bb2", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "5.3.39-tuxcare.13", "purl": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:ae93d11a-ee33-504b-9708-6f8f04bb762c", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:ea900c9b-0aa5-5679-a91f-ff843178402a", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.13 of org.springframework:spring-core. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:aa2dcfb1-84fb-55b5-813c-f801f21bd269", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:144bcdc3-1551-5f97-9ecf-477d9ba92349", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:1664cbe0-dd09-5712-bd3f-155c17b84ee3", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:02dd5431-5864-521a-bf03-70f12c048467", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:564b870c-db80-57dc-9f9f-8a6cb5cee387", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:44707af4-c208-590d-8244-48ec0f3be770", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-core 5.3.39-tuxcare.13." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:3611d902-7a08-568f-b0f0-6e56d3b4c11e", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:654f0a70-7806-5cf5-8451-01cbca7bc9f6", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:0e1febc3-1533-5a0e-a89a-e33f233dad43", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:a31ea28b-2646-51cb-b259-23bb39a11025", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:bc5790ab-52a8-5994-a80c-e978be6bb8ff", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:f0dd70ad-faf5-5dcc-b5dd-8c727c9630e1", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:eb1a6f7a-cdf2-5e07-be91-0a6041941de4", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:d9790f14-9b60-5ada-a4dd-d556f42ca54c", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:9e97a7ec-2d59-54ae-bcf7-16e76c7a367d", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:3c578782-e8a4-5c8d-8a05-6500fc2395f4", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:d598f4d8-94f3-5fa7-b43a-8fd0d082bf84", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.13 of org.springframework:spring-core. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:1b5b2194-d914-542b-b14f-264b452f7f48", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:f7375d5a-a22e-51d5-a5de-26ae74383e65", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:a193e2af-aaed-56fb-be53-656451b7e210", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:59449568-a0dc-504c-b6bd-f59326b042d4", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:802727a9-1385-560e-963f-506a7542494a", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:da612958-b311-58f3-90aa-cc8cafa662ab", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:e92672d3-dbad-589a-813b-55b647b429c4", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:2bd5c26d-3075-569a-a435-11078c0a9d22", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:0d63c802-1b71-5191-a8a7-48bf91d85fe5", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:f2dcc48b-ee0e-5ae2-9c7b-bdc98dd84501", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:e49b0bb3-23be-5638-911c-f8d6ecbf9738", "id": "CVE-2026-41851", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41851 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:fce30e07-700f-5ee5-b28d-91ccb433ad7c", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:5cb06f23-3577-5b53-be06-e9471d9b97c0", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:498ccad8-5889-5235-a026-25c45eb3d44e", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.13 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.13" } ] }