{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:0817c36f-accd-5f57-9721-6af96640bed3", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "6.1.20-tuxcare.5", "purl": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:4d1e16b3-bf5e-589e-952a-5c7dbbfbb957", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:76d7499a-e075-57bd-9bf2-f9510765eac1", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d4b9277c-0057-5000-8da0-13faba7c6f2c", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3be6d568-4fbd-5676-a379-d17e5d26059d", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:92e3679a-f4a2-5605-b39f-eea94b400308", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:00399f39-c0ad-51e9-adae-bd9121d381b1", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:330cd25a-8392-530d-8cb1-9687d245ac8d", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:c87ca126-e558-5fa5-adda-fa768f23303c", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:738d2254-9212-5133-bfa9-f09be7e5b73c", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:0d42db12-758a-5e00-83b4-b826aeed007d", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ac373aa0-0ae6-546e-88b9-4609c7c30f9e", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:88bbb63e-b61b-5bd5-b0ee-76c0a8045866", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:39d92d54-d6ea-56f6-bd72-6f0d1ab7f72d", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.5 of org.springframework:spring-core. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ac781e7f-57d6-506f-a07f-fa63dd80f9af", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:103745c6-d30e-5a2c-b892-72413a5adcd8", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:346879d5-cbfe-581d-842b-807f9d652d5f", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:4232df3d-acc2-5f02-b3d7-34c4cd24fc0d", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:46b369d7-b044-547c-b176-5062cdfc1d47", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:5fa93572-d8e6-584c-a180-134aee67f878", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:1921cff9-542c-52c4-ad72-80c4524d6629", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:8f406464-9de2-515a-9718-e7655af4393d", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2c4bcb07-7150-5d79-9def-2cd626da424c", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a6d12b6d-203f-5e4f-ba02-53582dcd2653", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:6cb30f18-b56a-5848-928f-be372ac161a7", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b40ac240-89ed-50e9-a1c8-d1b83dfb0953", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.5 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.5" } ] }