{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:ac2d1bf8-4f89-5887-8e07-4e29b6716fda", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.31-tuxcare.5", "purl": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:f77fe24e-944b-56d2-98ac-0842da046d72", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:614f6d0f-58f5-5931-9b17-321510453219", "id": "CVE-2024-22243", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22243 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ac11920d-49d1-5622-880b-5bdb625fe430", "id": "CVE-2024-22259", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22259 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a76fb33c-23c6-5c67-a04a-0ab8d5437b59", "id": "CVE-2024-22262", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-22262 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:7f126846-b65e-50b6-be49-915273a5ed5b", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:675a4a58-e785-544b-9154-9772006e19a4", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2eb8bcfb-fadc-55a7-93ca-08cb4029259e", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:916ef750-e00a-5094-83ef-17013c038b62", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:7fcf5825-f5de-52d1-af99-ff76a56d754d", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:5924fa86-2967-5753-9213-3105f383cbef", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3bb884be-7232-55ed-9c1f-2214e2ea73cc", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f4f4312a-1ac2-573f-83ec-2769123db2be", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-expression 5.3.31-tuxcare.5." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:92dc75af-dea0-5927-ae3b-da492f86a729", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:32bf5bdb-4935-5bac-a17e-fec763403924", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f2d3e198-c594-5eee-b58b-5a38f6e8d853", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:556dd32e-8fc1-5e24-a464-e5194cd342ed", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:80d6f608-605e-5626-9186-e7486406ee70", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e9d10d40-240a-509c-914e-d6e7a255f302", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:4af654b0-54c0-5e2d-bd45-da66af4f015a", "id": "CVE-2026-22741", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-22741 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:cb2a63d2-d971-5c81-91fa-da2bd1906c0c", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9016ad3b-8224-58bf-976b-d2bd061ff92e", "id": "CVE-2026-41838", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41838 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:66fdee79-b787-5dfd-899e-2c272835b081", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e822d249-99b1-580d-a6f4-58b44b0a2d9d", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.31-tuxcare.5 of org.springframework:spring-expression. already_fixed \u2014 The target repository (Spring Framework 5.3.31-tuxcare.3) already contains the complete fix for CVE-2026-41840. Both required doOnDiscard handlers were applied via commit 615477c88f (labeled as CVE-2026-22740 backport) merged on May 4, 2026. The code changes are byte-for-byte identical to the upstream patches." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:55155a46-f403-55ca-aa77-ab7263387ab5", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:237a66fc-b1da-5de9-8e5d-0219c03a80a4", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b0a544be-7062-5e2c-8f30-f7e55ed0c511", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9301f9a5-2819-50bc-8f7f-dafea3c36ae5", "id": "CVE-2026-41844", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41844 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:7cbfe388-0a8e-583c-878b-40fe1b95decc", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:94bc8e47-09c0-5c1d-b19c-5c8d0a1640ae", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:0dd06c8c-1097-5a18-ad66-4d3c669cee33", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d3848a55-820a-57b6-b7ac-809561704849", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9fee1618-33ff-5b92-a8b0-64610ab2a2e2", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:854fbeb5-f299-511f-af20-69f1bed2aabb", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:4cedac56-a415-578f-8811-c751139bc9fc", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:576d564e-f0cc-5f97-8df2-8f06b7c34f41", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:39e29bcb-4c4b-51a8-85d8-73ae1bd1209a", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b095e8c3-0a81-5a95-a965-7f4858d68f5a", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.31-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.31-tuxcare.5" } ] }