{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:555d0ceb-b404-5f82-a53d-7fc701460425", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "5.3.39-tuxcare.13", "purl": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:7b186d63-2a0a-5d98-8dc0-bf1c7983994c", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:1142d9ff-021b-5eeb-93a1-aa2cc08020d5", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.13 of org.springframework:spring-expression. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:6c2e6499-00d5-53d9-b676-dc006664117f", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:5f26c58b-140e-522f-9ae1-c0481dca9644", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:4df30677-4148-594e-855c-a1ff182e7bb5", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:5203b382-6559-5473-bf99-a819ca4dc885", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:0875c1d0-cc09-5e7f-b96d-26d6c9ab8550", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:7eb6974a-d246-54a6-a451-46af3141847c", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-expression 5.3.39-tuxcare.13." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:0ec8d59a-32e6-5125-aa12-843bc3b43ad0", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:6a4ff888-153b-565b-abf6-2cef8a39d852", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:3b4168b1-5e47-54c2-ba8b-1a98f66e59b8", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:7b02d3f0-a2fa-5b2a-9b0b-55888d634b00", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:d80ec6a4-cd7e-55f6-81b3-a640a8af888e", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:e482054f-c3c5-53c3-8dbb-d11e273690ad", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:429d0d68-dd22-5332-a258-f5ce0c0a4329", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:8c779c55-9ccb-5711-9009-5b67088f4f14", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:893da415-180a-5636-82a7-b0efd52a5a1b", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:bfd354e2-5201-5441-bb2a-d33815b0e504", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:30affda4-dd2e-5eb0-bb2d-fd991744554c", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.13 of org.springframework:spring-expression. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:9d84c552-186f-536d-a1b3-de46ef73682b", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:9b2d17ec-380a-5599-ba96-f46adaf2fa11", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:03dd4f88-7dde-5450-b5c1-feff1d2f4864", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:551d167b-888e-5a38-bea6-8ab61d338c1a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:ca7da5ef-fbf8-5903-8bbe-2d0f6a577b72", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:54d8d3da-caa8-5851-a24d-c634848b6be5", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:a72d4cc8-9e32-5db7-ad71-517cfedfbc15", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:31e93db3-a8be-5cd7-9c01-3a6597af693f", "id": "CVE-2026-41848", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41848 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:4389cae8-221d-5293-9156-2fa51a46f085", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:a6715379-5ab4-5951-b067-5e12c73c3b13", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:eb26fca9-1bf0-5e01-9e68-37c2bbf7aced", "id": "CVE-2026-41851", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41851 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:eac37376-f79d-5e3a-886e-5276af92cf19", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:a2add2a8-7470-572b-8ca6-cdda8cd30bf1", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }, { "bom-ref": "urn:uuid:ba22d689-2e0c-5335-b9f9-564867523a09", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.13 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@5.3.39-tuxcare.13" } ] }