{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:653491a2-05c3-5bc6-9758-dd26807585c1", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-expression", "version": "6.1.20-tuxcare.6", "purl": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:21f7748a-c6c3-5889-a439-6e3c0a4c98bb", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:d52aa327-3ed7-5171-96e5-1726b2a6afe4", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2bbb9b48-3937-52ca-aca9-4fd79f3789ba", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3ba5213a-3bcb-5f38-bb4b-60e8faeeff02", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:35f764bb-bad6-5b08-9bb9-5d2411a7e533", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0b1bc07c-16f8-5ea5-8bad-0a1c9cfdaa66", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f7cc45d2-d8fb-5850-b6fd-5948c53bef80", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8cf7ff01-a5c1-5773-acc0-ae356fcd7611", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:99135b4b-e913-5204-bb29-87727c9c5137", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1c9dcf28-855b-54c7-80aa-38dd9cc754eb", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:da4283dc-cfe9-5e69-8845-e1bc60ef4e5c", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c94d07ba-c79d-5e5b-ad0a-b9000a588f52", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:f56930ad-aba7-5185-a74d-8279f0101bc5", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.6 of org.springframework:spring-expression. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:7546af38-05a2-506e-a086-b901a0ad5754", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5889b7c2-2e5b-5337-b1c7-1e81e78fb65e", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:bb726f54-bd6e-5d34-a81b-acf089eed952", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:59be49e3-38c7-5460-bfa7-8fbbcea4f0a6", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:af8e9174-bac0-5ee2-97c5-c0c967574e5b", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2acda60a-4607-549b-aefb-dd8133f94c90", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:9aaed78f-63c9-50b8-86dd-63aee72f0073", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2e9ebcd3-7078-5dfc-946e-ca076d150124", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1790318f-003d-53f2-9bbd-c745b6dc443a", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:0236e9b4-b59e-567f-aa94-a1758ceef18d", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c4fbf194-81b5-5ca1-b7a3-1aaf2f1975a3", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:69b5b05b-b180-5611-9883-6ae6198ad0f6", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.6 of org.springframework:spring-expression." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-expression@6.1.20-tuxcare.6" } ] }