{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:25c4c072-5944-539a-9614-a12981f6867b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "6.1.20-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:8d290db4-919e-56a3-b81f-96e89a98a499", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:19e54308-685f-5e7b-a68b-57ff58f8c801", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6be59359-1398-511f-b27a-02a9117c0871", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cab206ad-fcd8-528d-b76f-02a553b855b2", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:feb6ff34-9e8e-55a1-9741-d8f926feccd8", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c15242c1-fa5b-5933-84d2-0fd8a1de818a", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:cc76d700-f15d-5b02-8bba-2ff14870714e", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:db0addb4-17db-5949-9f4a-0cbe26b8618f", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:95423924-67aa-5aba-ba27-5300165ddc8d", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:11ed8320-0e75-5810-aff8-dbbacdedf2d0", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8042f48c-51ba-589a-b984-014aea4ebf62", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:80e20333-0fbb-57bf-a479-fcff858b6d3d", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fc036cca-85d2-5132-b53a-56357c6ccd13", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.4 of org.springframework:spring-core. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:b4373df4-4934-592b-84fa-dab6685698d3", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0135843d-b8ae-5c93-b757-9cd4b885e069", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:e00728ea-1a30-523e-9a40-5d0e12f2a3db", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bd1573fe-af37-5f50-b7e6-5bac5837b5e4", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:65a424ae-89d6-57f8-b05e-d5cc6a4184ef", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:2cdc71cd-0338-57af-9576-928c066a2723", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:06b22368-831b-5b3f-81c3-dbf99bb2b4cc", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:dd567ce6-6102-5417-8999-95dfce722b56", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8a10ad58-5860-597b-92a8-c023e962c939", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7d9bda1d-fca0-533f-9393-fc59247c129d", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4814df72-9ec5-58fe-9a77-2fdb5173abae", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0e87bf4a-17be-58f9-b67a-e518ebb57067", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.4 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.4" } ] }