{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:f787b41a-765c-56ba-8a69-80d197bfa9b4", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "5.3.39-tuxcare.14", "purl": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:389cc612-66da-503e-a13a-774006ee1f10", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:f194f39b-60b3-53e6-bdb5-71993ad39345", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.14 of org.springframework:spring-core. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:ef07d452-8dcf-524f-8a44-665b615c20c6", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:e0b073ff-0781-58c3-b408-29eb1c91e5be", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:bd7e7c4c-766c-56d7-8b77-2ab4d430c030", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:aa56021d-719e-5c8e-872b-0ec71a4c91cb", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:11ecd64b-0dcb-5a88-abee-f6961ac5c634", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:28d21aa8-e7d9-59c6-94ba-855eb7123688", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-core 5.3.39-tuxcare.14." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:cbbb4620-4ca2-5a34-84b8-a7f29fd160a0", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:9012532f-dc72-5a21-b6f4-331409d47968", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:3b7df169-5ef6-5bf1-b9c5-4161dd4e2e65", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:ec9ed096-3104-5681-af32-07353be6d5d4", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:bb718be2-ca13-5dd3-903b-4025b0ea6533", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:fbcf26d3-932f-5fdd-896b-db323b5dbfb5", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:8378a577-19ee-5de1-a7cb-becbf812c1b9", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:245b89c3-9329-5c8d-9919-185904a257d0", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:6fef0701-73b1-5091-bc47-563a16663d0b", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:30b85e95-b91a-5fa8-a2b3-5e507c71957a", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:103be55f-9476-5e3f-9ff0-b356ff5e6400", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.14 of org.springframework:spring-core. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:fb2b6219-e0a8-541b-b776-eed3ddbf68ab", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:5d662177-5ab5-5af1-9043-df9360fe3f03", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:15ac520d-49e5-59dd-a45c-79e5f7c567aa", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:2bd20112-1ecc-5696-afec-02f7b5dc1b99", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:97878f55-11f9-5614-90d7-7b3d100ab770", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:5b4c95b1-7cd4-56bf-9f70-4ac0e142b5e9", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:e0a58abd-50e8-53ad-8d3d-2a08b2532222", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:78235683-58af-5ec4-beb6-f13727495bfa", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:e76d25ed-f614-58be-a17d-a694392e16c6", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:ff40d4cf-a5d3-5349-a980-b0bd3389e20b", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:d143c0a9-3721-57ca-aced-92c99f2a5014", "id": "CVE-2026-41851", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41851 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:2fc0cb41-3f81-5cc8-8a7d-83295647d9d6", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:6445207f-ceba-5dc5-a3d9-3dddb902e086", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:60fe57c8-0276-5e78-bd21-a57346d5bd9c", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.14 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@5.3.39-tuxcare.14" } ] }