{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:d6c70c53-5941-544f-b789-362a475d9a6d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-instrument", "version": "6.1.20-tuxcare.5", "purl": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:265d8ac3-df6a-59a4-87d1-dcba84bcdfde", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:4f39a5f9-c797-5eed-acb9-fb76fb170392", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:dfc9a21d-1250-5c7e-ae33-94bb890b4901", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2fbe6220-a844-5b05-bc81-ac23121d7d12", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:26cc76f9-6c49-5be6-b741-f2f466c74b5f", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:c6ebe087-9fea-51f1-9a1a-8142f24dc829", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:376cf4f5-ca2f-50f8-a6f8-4d243f7b3782", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2fa99c0b-dce8-53d0-9262-8374bf89c337", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3109eb5c-92a5-55d6-be71-0fc7cccb43ab", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:19fd330c-fdac-5fb1-a5fc-5a491921a2b6", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:01b1ed99-7188-5d89-9f92-f94d0c7b8c89", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b87829b8-b0f9-5c90-b34f-a347c57f4296", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:bb1f64f3-4b36-516d-bd83-4edca476b094", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.5 of org.springframework:spring-instrument. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:86167b01-be5d-50cd-be96-1b0cf7dfa0ff", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:5a2afab7-092d-5b88-a989-4cbd2f35e98b", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e4673e45-4343-5032-863e-942c70d2f36d", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ab82a42d-c934-5a58-a2a9-f14f6d560bf7", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:6c54820e-95cd-59ac-b475-df2a0b383a1e", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:674ecb3e-6f93-5133-966c-0f3e350e6eab", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:63f3c497-353b-5e9f-8a69-1eb7715f5994", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ac6bc3cb-9c12-5a98-ac5d-85f682104bbc", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9cc5ef18-57fc-54ae-ac31-e918cbf9e3a4", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:aa959e36-632f-5ba7-a707-a2c42a85caa3", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d2ed3cdb-8ed6-5b67-92c9-f1810b5c40a5", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:829ca203-585a-5eb2-8a53-d0c4b196f96f", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.5 of org.springframework:spring-instrument." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-instrument@6.1.20-tuxcare.5" } ] }