{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:4546883e-f7b5-51ef-979a-93d9d151a588", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.37-tuxcare.7", "purl": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:fa560f5e-c923-5ee7-9824-80759d5da137", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:68a14a2b-2e6c-507b-9b97-bdca1c17fa6d", "id": "CVE-2024-38808", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38808 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:d9ff3e18-8a7f-5baa-9f00-9fd369299681", "id": "CVE-2024-38809", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38809 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7e921836-4f30-5466-b6fd-f399c05966d5", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:797c8de1-e6c1-57d3-8be6-8666b74b3716", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:d4e86ae4-e638-54fa-9ee8-e7499977807f", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:76c1275b-03db-5b42-be48-3a82543886c0", "id": "CVE-2024-38828", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2024-38828 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:0ec9ba23-4107-5a32-83dd-9abdefe2800b", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:d81be280-73d3-5b56-90f2-e797ee0f76a4", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:08596354-0a6f-560f-9349-53b83beee071", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:2f4b99fb-086a-58bc-9a84-5735d3352953", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:03bd85d6-a3ff-52fc-9930-376f4805ed7e", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:177945bc-bf71-54d5-a96e-4ceaef12aa98", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ceaf9211-38a4-5883-9453-1ee31fa4725a", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:d85850fe-efd0-55e9-98c9-b6359b10c35a", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ce31f517-3bce-5b46-b3c1-d17e2d9f42c0", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:e06cdd52-c9c9-54b2-a211-4c16c62d52e1", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:831c4cb9-499a-53e2-8d91-aaed0beb7efb", "id": "CVE-2026-41839", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41839 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:f2a41cde-f718-5522-933a-244ed45b2409", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.37-tuxcare.7 of org.springframework:spring-expression. already_fixed \u2014 The target repository (Spring Framework 5.3.37-tuxcare.6) already contains both fixes for CVE-2026-41840. The fixes were backported on June 8, 2026 via commit 648b33d0a3 as part of CVE-2026-22740 remediation, which addresses the same multipart memory leak vulnerability." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7f99a1e2-de9d-56ec-8303-96c6546ce05d", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:6a38d1ab-4f49-5f92-99ed-c146a62cf2e5", "id": "CVE-2026-41842", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41842 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:ce6b6835-1aa9-5a8a-bda5-efa070b3c061", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:082986de-01c7-5403-aec0-f96eeaa846ab", "id": "CVE-2026-41844", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41844 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:8c9fff82-e07b-5252-8f6b-3517a63d70db", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:df798a8e-daf3-568a-9ea1-78b5e5cbc2f8", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:7f2da915-2bd7-5e2d-999c-064f91e36f74", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:95630e42-b885-5272-b91d-e05f12f3b004", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:4721695a-81bf-55a6-ae2b-2570ca0690db", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:b6c131bb-0d43-5951-b4f0-dffbe2f657cf", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:af3246e2-bf06-5004-b157-ff45e89a1d15", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:01b48ffe-4992-5de7-9c84-e52bb04780f9", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:3f19f149-51c8-5dba-b921-4702130f286f", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }, { "bom-ref": "urn:uuid:3c3f9654-24bb-50a6-b667-7fb4e6939b34", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.37-tuxcare.7 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.37-tuxcare.7" } ] }