{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:57bee419-11ef-5d3c-a783-97c2d4156c03", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-web", "version": "6.1.20-tuxcare.5", "purl": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:814e9482-9f52-5c89-8e68-083a90d92480", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ec7596cb-480f-5f1f-9f95-570067b49167", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:8191b9e6-3171-5693-b577-bb995f3480fc", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:94149699-f74d-5ad6-9a63-46e69e2c439c", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:095a4c28-4a53-533c-90fa-a88a55a886f0", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3dd0c1f1-18dc-5428-a9e5-b65a4c320f53", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:15dbeb30-4588-5755-b38e-2162a6a17e93", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:61598e9b-44f5-5dcc-bc63-5401cc3b74f3", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2c2c2797-c266-5a29-abcd-24fe1a084935", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:fad73f11-1569-5bdb-b588-2c31673d5e71", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:80b5e926-b886-5be9-a23e-9610a5a117a8", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:126a1e04-aec5-58d0-9ba6-e8a8b4067457", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:90904a0a-8877-5a89-b163-97bb1b0f8290", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.5 of org.springframework:spring-web. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b45ca3f4-d5e0-54dc-9d13-74b939c1db9f", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:60eeeaf0-d05e-53a6-a6f5-c76f433f250f", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:812fdbaa-0ab8-587b-8e1f-a22ec3647b9c", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:0bcc1e5d-40a9-5ffe-ae63-f7ef53c591ec", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a69a2172-194e-535d-b90a-4c6873d97ae3", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ce84fdb0-1e90-5a0f-9862-777e2c0605dc", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3a8c092c-d4a6-5a93-ae79-d9ea519a0871", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:75110e68-9a7d-5fe4-a5d5-e548293193e7", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:54f457bd-fa38-59ea-b51b-89d80fa0fe9d", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b40851f4-781e-5c27-a950-22195b1d934a", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:64446cad-1bfd-5e11-8f2f-7c962a239712", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ef9152b6-cf72-56e2-8443-5b9a3edb639f", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.5 of org.springframework:spring-web." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-web@6.1.20-tuxcare.5" } ] }