{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:a91fe3d5-10c8-5307-a61f-63e992555f5b", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "5.3.39-tuxcare.14", "purl": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:551bf651-d404-5c69-90af-bd87368a75cc", "id": "CVE-2016-1000027", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2016-1000027 affects version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:75d96a9d-7f47-56a0-9d65-cec9c1930344", "id": "CVE-2022-22968", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2022-22968 does not affect version 5.3.39-tuxcare.14 of org.springframework:spring-instrument. Spring version 5.3.39 is not affected to CVE-2022-22968 as fix has been already already backported by the original developers" }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:e22a84ce-ecf4-5d44-aae1-f781dcd85036", "id": "CVE-2024-38816", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38816 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:fae9f436-5d47-5e27-8bbd-59a8de660c2b", "id": "CVE-2024-38819", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38819 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:b4f0bf16-a683-5150-abdd-ebadd57142b5", "id": "CVE-2024-38820", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38820 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:07294c49-0931-5315-b0d6-fd40f4a60efd", "id": "CVE-2024-38828", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2024-38828 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:da8d6465-0ce9-5e42-89a5-ead3ea3f338e", "id": "CVE-2025-22233", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-22233 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:4cf1cd74-6b57-5558-9f00-2c742e7d3211", "id": "CVE-2025-41234", "analysis": { "state": "false_positive", "detail": "Vulnerability CVE-2025-41234 is a false positive for org.springframework:spring-instrument 5.3.39-tuxcare.14." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:6191833e-f5e2-5a09-83c2-45f73f931003", "id": "CVE-2025-41242", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41242 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:1074fabb-55ca-5a42-a309-7c15a738e271", "id": "CVE-2025-41249", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41249 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:0fff0c90-4dd4-5680-b9c9-1769d0d61cad", "id": "CVE-2025-41254", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41254 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:85583831-56bf-5143-9a63-34d205c19659", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:cdd610f9-a569-57ec-9167-d720f2694dd4", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:d421cf94-e414-5428-bd8e-f61cacb44b0d", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:127b70a9-9630-5029-b180-9adb5265daa5", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:489372b6-c5bc-5ef1-b21b-95cd976dd599", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:2e2160ff-8dcf-59bb-a3fc-39a24028fad3", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:5475bc25-5445-5e35-8ccd-6ecdf89a4a11", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:6495990a-8587-5e5e-91d3-1ef281029d86", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 5.3.39-tuxcare.14 of org.springframework:spring-instrument. already_fixed \u2014 The target Spring Framework 5.3.39-tuxcare.12 already contains both vendor fixes for CVE-2026-41840. The fixes were backported via commit 4ef4cdca34 (May 13, 2026) under CVE-2026-22740, but the code changes are identical to the upstream patches. Both doOnDiscard handlers are present and active in PartGenerator.java and MultipartHttpMessageReader.java, preventing memory exhaustion from unrelease..." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:2c846508-f89e-53cd-a9d1-a649715fcedf", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:c47ed267-c606-5d9d-bdf5-979474f234ba", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:bafd4b0e-ffea-51f6-b65a-0574b73a2c34", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:6e762889-2ae7-5dda-aa28-50c96aff2bd9", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:6480c745-e4bd-5439-9168-e281b5d04a59", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:2f3bb5a3-5be9-508a-bf1b-e4739da3bc61", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:50906f05-a786-5503-9a16-2a9bdb3e6341", "id": "CVE-2026-41847", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41847 affects version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:b29e6edb-b74e-50a1-9d60-b65fa1b5a905", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:ad3cbd7a-4919-5145-b00c-980b39bb8bad", "id": "CVE-2026-41849", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41849 affects version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:6ae3e34b-76e9-5353-97f6-d23f621520fc", "id": "CVE-2026-41850", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41850 affects version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:1c405cef-79de-5081-8d13-0f46adf885d3", "id": "CVE-2026-41851", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41851 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:35c5fc35-8f78-5ce5-997e-d77ae5a5ab67", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:15d043e1-83dc-5b32-aa2d-650b0c7870dc", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }, { "bom-ref": "urn:uuid:f55e783f-db10-55ac-a09e-65f7ec43f493", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 5.3.39-tuxcare.14 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@5.3.39-tuxcare.14" } ] }