{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:dd0a5676-8812-5c8d-bbea-e0f7545638dd", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "6.1.20-tuxcare.5", "purl": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:45060c8a-010c-544a-be67-483b2d5a1f79", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b7983774-d73a-5319-b969-add4b1bfffef", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:918334d0-eb2c-5548-950d-d76fa407fcdd", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:cf36adce-82c9-584c-828d-1f34a532132a", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:92b1362a-8bca-52be-ae63-b3df8ec1ff4d", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a3d7d4d4-1701-53ed-8970-47f0b0ce2f84", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f38bd9ce-5f36-50ba-af8c-94fdf7fe9b8e", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:83836a85-a910-5b32-8603-071ef3d843b3", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:75427b2c-d24e-5d51-856e-2ce62854be0d", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2a4639ab-cd0b-51b9-bef2-b425e8c604d1", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:32b5aecb-9524-57df-9525-6b2b1530ca4e", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:87e9cfd5-7ddf-5b9f-9997-23496d7a4aa6", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:dcacdab1-ce06-5ec8-b489-38a2ff4f7c37", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.5 of org.springframework:spring-expression. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:0cb2baad-c9f7-5d9b-888d-754023bdfd5b", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ecd6cc99-f314-5a0c-94c0-cd12d8b8ee85", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b1da0b4b-4f1f-5310-91f5-c2775b0f377b", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b7e1c781-7935-54d7-9690-2faa4b449fd9", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:39b6dd04-4899-50b0-bb55-b8f8f3234863", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:f090458a-3e06-5382-807d-cdcf7812aa46", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:86cf49ad-8462-5db9-b1a6-146d12580efa", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:5eded314-5959-5bdb-bdc2-cea00bce0d38", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2f18213b-3887-5529-b6c2-40ade27d7b34", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:baf94f09-f65f-52f8-a0b6-530e314a665e", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:afa4d312-6dd7-5553-9bf0-ad9ea4942f5e", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:61985076-bb02-5d6b-9173-7dfb76f9d28a", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.5 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.5" } ] }