{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a3c19ca6-0db8-5e31-ae47-c34b98303a8d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.31-tuxcare.4", "purl": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:329c4a08-2cd5-5a58-b13f-92362a24143c", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7c8ce929-303c-5d4f-851c-ffe8d5128ae3", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:baaf6a4c-dc4a-50e3-a164-63e2ecedcae0", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d5162cbd-f251-58a9-9f38-2afcb9631531", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:5483a452-d091-5bbf-9d58-5816420d1f31", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c760adf5-d6dd-590a-9d36-f6c9de023544", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1201d61d-76d6-512d-aac6-c279141456ed", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1a4e99a7-5ab4-5836-a15a-d938fb1e8d24", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:81ece361-0e65-51eb-96b1-46669cf8935e", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:be456153-2185-589c-9c6a-188914f3790e", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fc981842-fd56-5055-aa85-ad0ee0cbb7ff", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:0a2eb014-7e5c-5582-add3-aca191239273", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-expression 5.3.31-tuxcare.4." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:8afd81e7-6116-518c-a3ac-9a6467f83d35", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bf8689fa-299c-5d11-91d7-bd5f18912f01", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:799d18b1-2556-5caf-9123-0c3b3cad9553", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:701a06d6-02ee-5711-8981-d54b629b296d", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:ddbd3399-c22e-5acf-bbe5-254ff8b3fbb8", "id": "CVE-2026-22737", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22737 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4c4a8505-0b54-5444-b99b-75036c489eb7", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:7ff5c090-e7a5-53e2-ba20-1caa53aa3a0b", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:933889be-049c-585a-a67a-d92598c2c7d6", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d3aa7c19-337a-551c-8526-6df07a0ad8a3", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:c321bfb4-efd4-59df-a5fe-5f7d686b4738", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:abde6b8f-4e85-5ebc-8693-30b0d96909cf", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.31-tuxcare.4 of org.springframework:spring-expression. already_fixed \u2014 The target repository (Spring Framework 5.3.31-tuxcare.3) already contains the complete fix for CVE-2026-41840. Both required doOnDiscard handlers were applied via commit 615477c88f (labeled as CVE-2026-22740 backport) merged on May 4, 2026. The code changes are byte-for-byte identical to the upstream patches." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:bd16ba0c-3cfd-513c-84b2-fa5141df392a", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:1ca954a2-660a-54f4-934a-d4f3621dc7d0", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:46fb7bae-93c1-574a-bcb3-5854b1c0f41e", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:33974063-142c-5777-84f9-083db2a9868c", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:fe6db29f-a6e4-5f4e-be1c-e27af9503d75", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:f907249e-3eff-53f7-9cb7-eb92b287df47", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:d872d5f9-5bc2-5571-88c3-0d38e2f9e91a", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:6c8221a1-3c1b-5c08-9d02-d45c32cb5893", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:897acd90-ff0b-5b41-a284-f5e09b0cb7ce", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:477fa87d-981a-5f37-a15f-56bf7d606156", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:4d1aac3f-93b3-5d5b-ad15-d6f8530a0a6a", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:727e33b5-8bc1-58f1-8eb0-7d70845171f2", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:53b4c864-3e5a-5dee-a718-01b17ac91599", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }, { "bom-ref": "urn:uuid:9257f617-04bd-5aa4-a9a1-b00d1b62dcf5", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.31-tuxcare.4 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.4" } ] }