{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:97ede0ab-a087-5700-be0e-ee08037afc5d", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5", "type": "library", "group": "org.springframework", "name": "spring-websocket", "version": "6.1.20-tuxcare.5", "purl": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:29e47919-4abd-59c7-b972-3e1b12384db6", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:c001af2b-0f5b-5aea-b9bd-58b4e34a3596", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:6f262a4c-f6b8-58b6-804a-d075148fa9b1", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ce80a5ce-8f76-5f8b-8a41-d57af09054ae", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:fddfbafe-11c0-5fdd-938e-f2d787ffd1e6", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:8ee3d4dc-a1ba-5c8e-b12a-395adff575ab", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:2d0f8b84-3ea5-58b8-87f5-72341992c3a7", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:0a14b04d-aa50-5e68-8c80-f28cdfdd799f", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:1337be00-ae29-5641-bc10-d5f4ebabaafa", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:32f3b3ef-9a4b-5861-9349-00f562fd3051", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e56e435c-dd9f-53fe-89b4-59d20f86e501", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:02258441-4fa3-5797-a539-96a928280782", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:6c94abac-8456-59f6-accb-16e390df75bd", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.5 of org.springframework:spring-websocket. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:34e6e0eb-b542-5434-8f9c-7387053a5be4", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:995f53ee-f3d7-51d6-811c-9f56407940af", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ae977323-e902-5852-869b-ed3286eb6b47", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:43f93143-15cc-5fee-a52d-3e080b229c81", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:20044ca5-d19b-5a0c-ab81-0d4055581989", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:6d38576f-56e3-55ff-9a6a-fe9cbdfc7bc2", "id": "CVE-2026-41846", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41846 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:60a27ce2-306b-59fc-832a-8a4f87327fd7", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:dabb8750-8ebd-5067-b280-4258213ed5b6", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:063c8e9a-f295-5919-b41e-e1b69dfac818", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:c6e02a2e-cfce-57b8-a153-04222c09d36e", "id": "CVE-2026-41852", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41852 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:e3c50e5b-d77e-5656-9d45-8861d2f03fcb", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }, { "bom-ref": "urn:uuid:ee0b0b36-aa2d-5251-a3ab-51472b527552", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.5 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.5" } ] }