{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:91602520-817d-5965-828e-46e71d1c319c", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-jcl", "version": "6.1.20-tuxcare.6", "purl": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:a3d62d4b-023a-5e17-b68a-aa15b966be61", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:bbbac2cc-705a-51d4-b41a-d73956628d04", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2ede4069-458d-5b3f-a295-0110e486391c", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c6739fab-3f3c-5743-b430-c1ae0c211f53", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:44100ff6-679b-50da-b52d-a95786e20adb", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3945ca47-e49c-56c1-b9bf-aa0315d4ef1f", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:95e00d36-bc46-5380-bd6b-37ec3c885a1a", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:e482160f-6ee0-52ec-8a35-1793ff4ef9ec", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4acbc11a-7a8a-5abe-8368-d8d1300d82bf", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ec6bd258-84af-5b95-9459-666e7a551424", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:efa91bb5-db8c-5975-9618-010297976774", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:24316842-c531-53b4-9576-12d9d1c29625", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:620dcb7c-436d-5b75-a4ed-951a7dc86513", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.6 of org.springframework:spring-jcl. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:54996c7b-e20a-58b4-80f0-3663725a5594", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c0debcd6-e95a-580b-8dae-8019d2974eb4", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:79fecece-ea4a-5fff-9e53-c1554c0ebae4", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:a4708ba1-613d-5c8e-afec-619c1c5af4f6", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b2166ce2-b878-50ec-b7ef-95ea40b44b11", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1adc4be9-42a4-5020-ad75-e902013106f0", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:cacb6d0d-5959-52fc-a54f-1dfb98ebc4ba", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c6beb108-6aab-5af7-b1bb-bc1db8e09582", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:060f5e5b-c62e-5bd1-9152-5d790f7b3bdc", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:efe00365-fccc-5463-b373-9d433f664939", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:bf0bb035-58fb-52e6-8763-4f2a400bfe3d", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:52d1a48b-8907-5011-90ee-49d5f13911b6", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.6 of org.springframework:spring-jcl." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-jcl@6.1.20-tuxcare.6" } ] }