{ "$schema": "http://cyclonedx.org/schema/bom-1.6.schema.json", "bomFormat": "CycloneDX", "specVersion": "1.6", "serialNumber": "urn:uuid:d20b2885-7bb0-5d40-b80f-b1e071439803", "version": 1, "metadata": { "tools": [ { "name": "tuxcare-vex-generator", "version": "1.0.0" } ] }, "components": [ { "bom-ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6", "type": "library", "group": "org.springframework", "name": "spring-websocket", "version": "6.1.20-tuxcare.6", "purl": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ], "vulnerabilities": [ { "bom-ref": "urn:uuid:3758246c-98f3-526e-bce6-4c080c20d147", "id": "CVE-2025-22233", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-22233 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:3746e953-d29a-5674-8089-8cc9a848c633", "id": "CVE-2025-41234", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2025-41234 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ef8b70c7-0802-58c7-a3c2-97d4d4b640d9", "id": "CVE-2025-41242", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41242 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:739baa29-003e-511d-98ee-24d3ca23cff3", "id": "CVE-2025-41249", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41249 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b5d950c6-3739-532d-b9aa-a0e1843a94b2", "id": "CVE-2025-41254", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2025-41254 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:2abf0781-567a-597c-ab5d-ca297ac1f651", "id": "CVE-2026-22735", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22735 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:8bbb5289-ecbd-584b-a6ae-a9491c35b9bc", "id": "CVE-2026-22737", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22737 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:99888113-d55f-5269-9821-af9511cee977", "id": "CVE-2026-22740", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22740 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:4f7a4dee-4fdc-5bb2-8269-9977a7babc4e", "id": "CVE-2026-22741", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22741 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:39dfceaf-e9d6-5527-bdc3-040abe5e4ebc", "id": "CVE-2026-22745", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-22745 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:979a90e4-a156-5f31-87e9-f8e2b3c398ad", "id": "CVE-2026-41838", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41838 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:975c56cf-5751-5736-b778-b155cce38b1f", "id": "CVE-2026-41839", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41839 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:cd24c5fb-5aa2-5b92-b8a8-202b846bc71a", "id": "CVE-2026-41840", "analysis": { "state": "not_affected", "detail": "Vulnerability CVE-2026-41840 does not affect version 6.1.20-tuxcare.6 of org.springframework:spring-websocket. already_fixed \u2014 Spring Framework 6.1.20-tuxcare.4 already contains both doOnDiscard handlers that prevent the multipart memory leak vulnerability. The fixes were applied via TuxCare backport commit a6b78f2a1c on May 19, 2026 under CVE-2026-22740, which appears to be the same or closely related vulnerability as CVE-2026-41840." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:837d21dd-c672-5569-a4ad-af0f4aa71eb0", "id": "CVE-2026-41841", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41841 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1bbb3500-b724-537d-9618-3bb095bed3f1", "id": "CVE-2026-41842", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41842 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:5d03f9aa-26ae-5e65-8879-8847e1bf358d", "id": "CVE-2026-41843", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41843 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:526fffee-e111-5fc5-9d64-fb9ba5ebb00a", "id": "CVE-2026-41844", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41844 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:bd392c5f-ebd2-5312-b4d9-83b09ff4461c", "id": "CVE-2026-41845", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41845 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:1b603f31-d2c3-5bad-870d-e8862dbf7a84", "id": "CVE-2026-41846", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41846 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:429e7b05-48c8-5f52-8b48-f874c36549b8", "id": "CVE-2026-41848", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41848 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:ec40b5f1-ec70-50bc-a407-33ab28c31caa", "id": "CVE-2026-41850", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41850 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:c9ff2d97-250d-55ea-9661-38b9c920cfad", "id": "CVE-2026-41851", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41851 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:cd89757b-8bab-559f-9f2e-3743cc919b11", "id": "CVE-2026-41852", "analysis": { "state": "resolved", "detail": "Vulnerability CVE-2026-41852 is fixed in version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:04239d49-9624-58c6-92c1-1b5302c58be6", "id": "CVE-2026-41853", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41853 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }, { "bom-ref": "urn:uuid:b992284c-6b26-5908-8e72-0fe9eb9b48c0", "id": "CVE-2026-41855", "analysis": { "state": "exploitable", "detail": "Vulnerability CVE-2026-41855 affects version 6.1.20-tuxcare.6 of org.springframework:spring-websocket." }, "affects": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] } ], "dependencies": [ { "ref": "pkg:maven/org.springframework/spring-websocket@6.1.20-tuxcare.6" } ] }