{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:44001f4f-cd7b-5d64-ad08-cad8d05b0a75", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-core", "version": "6.1.20-tuxcare.6", "purl": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:d8801703-d49a-52c1-a16f-e67b740e78cf", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:83f588a9-28e5-5598-a39e-19df1ec3c647", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2178e992-270d-58a0-a448-c20a45ce48e5", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:cb866de2-0687-5557-aa4b-30a81c7f94a9", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d85dcc1a-9bcc-5fe2-8a81-04e7eaae8372", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:145ca504-938c-5046-9a9c-09cba7e27c0a", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0b1bd452-b3dd-5e69-affd-e5b3253125c8", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3d5a4fc6-ceaa-514e-9d17-3f37139eacb4", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3e6224d3-64da-5d89-8198-e9c6618815f7", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ffc51081-2f0c-5163-a245-e01bfc89c372", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2fad8bf1-71fe-5c1f-b450-1db489dd4bf7", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8a9b9d9d-e7d4-5fd6-bc92-b56283bc88d7", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:48ec7740-d3a5-552f-bba4-919d36beb7ef", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.6 of org.springframework:spring-core. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:63122afe-10f8-54a1-aa9e-f6956d38c64b", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0f271ad6-468e-5904-bd31-83f6262636d3", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:37b852cb-e6be-55d1-a9d1-cad7aa1bf4d1", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8d3c04be-0791-5530-ad76-c4c1e19e0138", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7f0b0f4d-c5ef-5205-9719-0635034b597c", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f8800ca0-1eba-5ee1-955a-eee934456171", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8dd9c9b1-5a10-5407-8101-1e2b27d44f97", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:008a4617-f83a-573d-a6ab-bdddf86de1ae", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f95adde1-e861-5658-9643-e58953a570b4", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:51ecf649-4215-5fa2-9915-1fba05d4932a", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:516f456a-2c74-537c-9857-64faa818967a", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:426649c9-043f-5a3c-b57b-6c6fc4451799", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.6 of org.springframework:spring-core." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-core@6.1.20-tuxcare.6" } ] }