{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:45301b15-e373-5563-b778-4fee9a5e4910", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-webflux", "version": "6.1.20-tuxcare.5", "purl": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:67476b2c-5762-5ebb-bfe9-42556a10a20f", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:a1d8cc4b-cb15-590e-a7c9-258350086a68", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:4ed61da4-24d9-5a91-ae24-c199a340d3e7", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:19165c98-c143-5856-8365-03146eb7bfe9", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:3bb69e3c-7013-5381-bd8c-5f7681da5e9c", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9c0b2a8c-3fce-56ec-8c79-428ef11ac1d8", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:bdbaede2-7f5f-5ff3-9d66-56f4cca31910", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:0fc8b555-1b69-55b2-9cd3-c5874aae4a4e", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9721bc23-7226-590a-9874-8c38bf12eb5a", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e42bea44-6258-5852-bd3f-97606691ec77", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:8f1370c9-0b3f-576d-a43f-1dc76944b077", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:fc0d394e-73c9-5992-a46e-002b37e4ffe8", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b7a01e74-cb66-5a67-b48e-46314a4e80df", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.5 of org.springframework:spring-webflux. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ac39dff5-b5c1-562b-aec5-79213dd3af6f", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2769b335-20c3-5996-ae19-7b3aec526124", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:d9878490-4599-55eb-ae4d-1bf6aea5782f", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:9556c061-1814-554e-b28d-38edfa1d46e8", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:102bc36d-aa3a-5699-ad9e-9a2178f79df8", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:c186045b-5126-5e28-be64-a6d364a66674", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:b47f73a7-7aa1-520b-8010-d8c63e959930", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:cb25260b-b29d-5f9c-9d2a-2db25dc37995", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:621e1c40-5272-5f4b-88e7-3a4f8123de3d", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:36d3028a-53e4-52e1-a345-17e787fd9a67", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:05837706-4517-5793-957c-2fe5dfde4840", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:34d35504-f17e-5c1a-886a-b2220a822856", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.5 of org.springframework:spring-webflux." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-webflux@6.1.20-tuxcare.5" } ] }