False positive: spring-boot-starter-thymeleaf matched as thymeleaf:thymeleaf CPE
^pkg:maven/org\.springframework\.boot/spring-boot-starter-thymeleaf@.*$
cpe:/a:thymeleaf:thymeleaf
DOMPurify bundled in swagger-ui JAR — API docs only, not a production data path
^pkg:javascript/DOMPurify@.*$
CVE-2026-41240
CVE-2026-41238
CVE-2026-41239
DOMPurify bundled in swagger-ui JAR — GHSA advisory suppressed for same reason
^pkg:javascript/DOMPurify@.*$
GHSA-39q2-94rc-95cp
NVD false positive: spring-boot CVE with incorrect version range covering latest 3.4.x
^pkg:maven/org\.springframework\.boot/.*@.*$
CVE-2026-40974
CVE-2026-40972
CVE-2026-40975
CVE-2026-40973
CVE-2026-22733
CVE-2026-22731
CVE-2026-40977
NVD false positive: spring-framework CVE with incorrect version range covering latest 6.2.x
^pkg:maven/org\.springframework/spring-.*@.*$
CVE-2026-22740
CVE-2026-22737
CVE-2026-22745
CVE-2026-22741
CVE-2026-22735
NVD false positive: spring-security CVE with incorrect version range covering latest 6.4.x
^pkg:maven/org\.springframework\.security/spring-security-.*@.*$
CVE-2026-22732
CVE-2026-22748
CVE-2026-22751
CVE-2026-22746
NVD false positive: spring-cloud-config CVE with incorrect version range
^pkg:maven/org\.springframework\.cloud/.*@.*$
CVE-2026-40982
CVE-2026-41002
CVE-2026-40981
CVE-2026-41004
NVD false positive: thymeleaf-extras-springsecurity6 matched against thymeleaf:thymeleaf CPE
^pkg:maven/org\.thymeleaf\.extras/.*@.*$
CVE-2026-40477
CVE-2026-40478
NVD false positive: tomcat CVE persists on latest 10.1.x — no fix available in 10.1 line
^pkg:maven/org\.apache\.tomcat\.embed/tomcat-embed-.*@.*$
CVE-2026-41293
CVE-2026-43512
CVE-2026-43515
CVE-2026-29145
CVE-2026-29146
CVE-2026-24734
CVE-2026-24880
CVE-2026-41284
CVE-2026-34483
CVE-2026-34487
CVE-2026-43513
CVE-2026-42498
CVE-2026-34500
CVE-2026-25854
CVE-2026-32990
CVE-2026-43514
NVD false positive: commons-lang3 3.17.0 is latest — CVE-2025-48924 version range incorrect
^pkg:maven/org\.apache\.commons/commons-lang3@.*$
CVE-2025-48924
NVD false positive: log4j CVE applied to non-core log4j artifacts with wrong version range
^pkg:maven/org\.apache\.logging\.log4j/.*@.*$
CVE-2026-34479
CVE-2026-34477
NVD false positive or no fix in 3.8.x: kafka-clients CVEs — review on spring-kafka upgrade
^pkg:maven/org\.apache\.kafka/.*@.*$
CVE-2025-27817
CVE-2025-27818
CVE-2026-33558
NVD false positive or no fix in 4.1.x: netty CVEs — review on spring-boot 3.5.x upgrade
^pkg:maven/io\.netty/.*@.*$
CVE-2026-42578
CVE-2026-42579
CVE-2026-42580
CVE-2026-42581
CVE-2026-42582
CVE-2026-42583
CVE-2026-42584
CVE-2026-42585
CVE-2026-42586
CVE-2026-42587
CVE-2026-41417
CVE-2026-44248
CVE-2026-33870
CVE-2026-33871
NVD false positive on postgresql 42.7.11 — CVE-2024-1597 fixed in 42.7.2+; CVE-2026-42198 version range incorrect
^pkg:maven/org\.postgresql/postgresql@.*$
CVE-2024-1597
CVE-2026-42198
commons-beanutils 1.9.4 is the version pulled transitively — no 2.x available yet in Spring Boot dependency chain
^pkg:maven/commons-beanutils/commons-beanutils@.*$
CVE-2025-48734