{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:c94562f7-5c7a-52bc-9ca2-69b241d18e73", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.1.20.RELEASE-tuxcare.2", "purl": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a91fb5f0-bd40-5ec5-be2e-1549bf1d85cf", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:48d4ab94-777a-558d-8574-a1184dbba140", "id": "CVE-2020-5421", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2020-5421 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:30d8df08-db0b-5797-9ecb-9953bedda7fb", "id": "CVE-2021-22096", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22096 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5ca54144-95b8-53e0-9562-235243560468", "id": "CVE-2021-22118", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2021-22118 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:a3b58675-f5af-5c41-8046-4daa31624de2", "id": "CVE-2022-22950", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22950 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:50d19693-7270-5c29-adc2-76ac6c31939f", "id": "CVE-2022-22965", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22965 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:e9e33786-2e3a-514e-a80e-b3437344febc", "id": "CVE-2022-22968", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22968 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8f322ffe-1286-5075-818a-47a067248bd4", "id": "CVE-2022-22970", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22970 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:234da260-3193-51a8-a568-e708c3264ac8", "id": "CVE-2022-22971", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2022-22971 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:b216f742-f034-5f9c-a9c0-0b2e48eb9737", "id": "CVE-2023-20861", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2023-20861 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:58ad1b70-fa17-5ed6-a420-661189475e84", "id": "CVE-2023-20863", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2023-20863 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:438f9ae3-2f3c-5bf6-a63e-8701d6f0abe3", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ab7659e7-92c8-5f9a-95c9-46a6a48fc853", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:65dc4d46-ff44-5d10-8cf4-f3424b41c803", "id": "CVE-2024-22262", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-22262 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1842eeeb-5d68-5bbc-b7d8-aba6e55f0744", "id": "CVE-2024-38808", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38808 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4a2ed9b7-0603-5b60-8650-878f1dac8593", "id": "CVE-2024-38809", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2024-38809 is a false positive for org.springframework:spring-expression 5.1.20.RELEASE-tuxcare.2." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5ac21cc1-e314-5c74-8647-70fb0e254fe3", "id": "CVE-2024-38819", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38819 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:1f6bb3da-bd18-52ff-8809-0d2ca0dc1eb4", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3b9c233e-8c9c-58ec-a70f-e48e4c75ad26", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:60d5d520-bf58-51b3-ae5f-221334bbaad0", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:39778804-34ca-5549-bebd-0690f0dd08e0", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d56cf0e7-3947-53f0-ba07-d48880b5fa75", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:97140c86-c0b1-51ba-9fca-d6ca88607679", "id": "CVE-2026-22740", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22740 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6155ae72-a25e-50d4-8f75-e5451eb15007", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:3cab9d7b-0f88-572b-a1e2-7ec3e7de3e43", "id": "CVE-2026-22745", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22745 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c439da2e-5245-5d4a-9c1b-4a00daa30023", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:5fabf857-ddbf-5a92-8d33-5ccce905e610", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:4655c774-aed1-5556-8620-ca83038022b3", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression. not_affected \u2014 Spring Framework version 5.1.20.RELEASE-tuxcare.2 is NOT affected by CVE-2026-41840. The target predates the vulnerable architecture (PartGenerator/MultipartParser) introduced in Spring 5.3.0 and uses a fundamentally different multipart parsing implementation (Synchronoss NIO Multipart library)." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:af3a3596-0321-522c-8cd3-517b40bce725", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:6efa31ae-90f0-54f0-8e15-ae2f26f6a714", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:43675c73-fe8f-5d9c-a3bb-64c44e92939f", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:41db81e9-656a-565f-a4bb-a330813614af", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:667d4545-9554-5b6f-9fd7-8bfdddbda11f", "id": "CVE-2026-41845", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41845 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:d64fff03-d44b-53aa-a4e6-c25a8f9b2326", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:96fc84eb-4947-570c-888f-2ba3d54a540e", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:c67333c8-950e-534e-a6b8-621c0fa9714b", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:ad0672d2-b916-5119-a314-8e4e2e523e69", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:fe97225e-6801-5016-9400-4faedcb5a1e4", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7d099090-cf02-5b2a-9b8c-eb23b7fef25a", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:f61058e5-ed3c-5f57-8639-7aeb2b1e8177", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:8e9b620a-fcb3-5f27-96ed-3ede5799730b", "id": "CVE-2026-41853", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41853 does not affect version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression. not_affected \u2014 Spring Framework version 5.1.20 is not affected by CVE-2026-41853. The vulnerability affects versions 5.3.0 and later, where a new native multipart parser (DefaultPartHttpMessageReader) was introduced. Version 5.1.20 uses different multipart parsing implementations that do not contain the vulnerable code." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }, { "bom-ref": "urn:uuid:7502d7cb-6a4f-588a-8b07-4a007858cab0", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.1.20.RELEASE-tuxcare.2 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.1.20.RELEASE-tuxcare.2" } ] }