{ "bomFormat": "CycloneDX", "specVersion": "1.5", "serialNumber": "urn:uuid:c86f6cef-ca9d-449b-a5f3-e1c018867a13", "version": 1, "metadata": { "timestamp": "2026-01-20T15:13:39Z", "authors": [ { "name": "Connext Security Team", "email": "security@rti.com" } ], "component": { "type": "framework", "bom-ref": "Connext (Other Products)", "supplier": { "name": "Real-Time Innovations, Inc. (RTI)", "url": [ "https://www.rti.com" ] }, "name": "Connext (Other Products)" }, "properties": [ { "name": "last_updated", "value": "2026-05-07T15:21:58Z" } ] }, "vulnerabilities": [ { "bom-ref": "CVE-2025-59375", "id": "CVE-2025-59375", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59375" }, "ratings": [ { "source": { "name": "cve@mitre.org" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "cwes": [ 770 ], "description": "libexpat in Expat before 2.7.2 allows attackers to trigger large dynamic memory allocations via a small document that is submitted for parsing.", "published": "2025-09-15T03:15:40Z", "updated": "2026-05-01T15:16:33Z", "recommendation": "Update to an AUTOSAR Platform Integration Toolkit release that does not include the vulnerable version of this third-party software.", "analysis": { "state": "exploitable", "detail": "AUTOSAR Platform Integration Toolkit is affected by product issue APIT-467, which has a maximum CVSS 3.1 score of 5.5.", "firstIssued": "2025-11-24T12:30:19Z", "lastUpdated": "2026-03-05T11:02:44Z" }, "affects": [ { "ref": "AUTOSAR Toolkit" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-438" }, { "name": "xray_id", "value": "XRAY-736258" }, { "name": "rti_vulnerability_id", "value": "APIT-467" } ] }, { "bom-ref": "CVE-2025-66382", "id": "CVE-2025-66382", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66382" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2025-66382&vector=AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H&version=3.1" }, "score": 5.5, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" }, { "source": { "name": "cve@mitre.org" }, "score": 2.9, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 407 ], "description": "In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time.", "published": "2025-11-28T07:15:57Z", "updated": "2025-12-19T16:05:03Z", "recommendation": "Update to an AUTOSAR Platform Integration Toolkit release that does not include the vulnerable version of this third-party software.", "analysis": { "state": "exploitable", "detail": "AUTOSAR Platform Integration Toolkit is affected by product issue APIT-473, which has a maximum CVSS 3.1 score of 5.5.", "firstIssued": "2026-02-26T12:30:19Z", "lastUpdated": "2026-03-05T11:04:10Z" }, "affects": [ { "ref": "AUTOSAR Toolkit" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-477" }, { "name": "xray_id", "value": "XRAY-905397" }, { "name": "rti_vulnerability_id", "value": "APIT-473" } ] }, { "bom-ref": "CVE-2026-24515", "id": "CVE-2026-24515", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24515" }, "ratings": [ { "source": { "name": "cve@mitre.org" }, "score": 2.9, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-24515&vector=AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L&version=3.1" }, "score": 2.5, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 476 ], "description": "In libexpat before 2.7.4, XML_ExternalEntityParserCreate does not copy unknown encoding handler user data.", "published": "2026-01-23T08:16:01Z", "updated": "2026-02-05T17:27:53Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "XML_ExternalEntityParserCreate is not called, and it must be called to be affected.", "firstIssued": "2026-02-24T15:43:49Z", "lastUpdated": "2026-03-05T11:01:15Z" }, "affects": [ { "ref": "AUTOSAR Toolkit" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-523" }, { "name": "xray_id", "value": "XRAY-937930" } ] }, { "bom-ref": "CVE-2026-25210", "id": "CVE-2026-25210", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25210" }, "ratings": [ { "source": { "name": "cve@mitre.org" }, "score": 6.9, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L" } ], "cwes": [ 190 ], "description": "In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation.", "published": "2026-01-30T07:16:15Z", "updated": "2026-02-04T16:34:21Z", "recommendation": "Update to an AUTOSAR Platform Integration Toolkit release that does not include the vulnerable version of this third-party software.", "analysis": { "state": "exploitable", "detail": "AUTOSAR Platform Integration Toolkit is affected by product issue APIT-474, which has a maximum CVSS 3.1 score of 8.9.", "firstIssued": "2026-02-26T23:25:28Z", "lastUpdated": "2026-03-05T11:06:15Z" }, "affects": [ { "ref": "AUTOSAR Toolkit" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-523" }, { "name": "rti_vulnerability_id", "value": "APIT-474" } ] }, { "bom-ref": "CVE-2026-32776", "id": "CVE-2026-32776", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32776" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-32776&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 5.5, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "source": { "name": "cve@mitre.org" }, "score": 4.0, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 476 ], "description": "libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.", "published": "2026-03-16T14:19:44Z", "updated": "2026-03-17T15:52:09Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The AUTOSAR Platform Integration Toolkit does not parse parameter entities or the external subset, because XML_PARAM_ENTITY_PARSING_NEVER is used.", "firstIssued": "2026-04-29T16:15:25Z", "lastUpdated": "2026-04-29T16:15:25Z" }, "affects": [ { "ref": "AUTOSAR Toolkit" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-543" }, { "name": "xray_id", "value": "XRAY-952582" } ] }, { "bom-ref": "CVE-2026-32777", "id": "CVE-2026-32777", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32777" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-32777&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 5.5, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "source": { "name": "cve@mitre.org" }, "score": 4.0, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 835 ], "description": "libexpat before 2.7.5 allows an infinite loop while parsing DTD content.", "published": "2026-03-16T14:19:44Z", "updated": "2026-03-17T15:52:34Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The AUTOSAR Platform Integration Toolkit does not parse parameter entities or the external subset, because XML_PARAM_ENTITY_PARSING_NEVER is used.", "firstIssued": "2026-04-29T16:17:09Z", "lastUpdated": "2026-04-29T16:17:09Z" }, "affects": [ { "ref": "AUTOSAR Toolkit" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-543" }, { "name": "xray_id", "value": "XRAY-952586" } ] }, { "bom-ref": "CVE-2026-32778", "id": "CVE-2026-32778", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32778" }, "ratings": [ { "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2026-32778&vector=AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H&version=3.1" }, "score": 5.5, "severity": "medium", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" }, { "source": { "name": "cve@mitre.org" }, "score": 2.9, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 476 ], "description": "libexpat before 2.7.5 allows a NULL pointer dereference in the function setContext on retry after an earlier ouf-of-memory condition.", "published": "2026-03-16T14:19:44Z", "updated": "2026-03-17T15:52:53Z", "analysis": { "state": "not_affected", "justification": "code_not_reachable", "detail": "The AUTOSAR Platform Integration Toolkit does not use namespace processing (XML_ParserCreate is called with NULL separator), so the vulnerable setContext function is never invoked.", "firstIssued": "2026-04-29T16:18:43Z", "lastUpdated": "2026-04-29T16:18:43Z" }, "affects": [ { "ref": "AUTOSAR Toolkit" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-543" }, { "name": "xray_id", "value": "XRAY-952590" } ] }, { "bom-ref": "CVE-2026-41080", "id": "CVE-2026-41080", "source": { "name": "NVD", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41080" }, "ratings": [ { "source": { "name": "CISA-ADP", "url": "https://github.com/cisagov/vulnrichment/blob/develop/2026/41xxx/CVE-2026-41080.json" }, "score": 7.5, "severity": "high", "method": "CVSSv31", "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "source": { "name": "cve@mitre.org" }, "score": 2.9, "severity": "low", "method": "CVSSv31", "vector": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "cwes": [ 331 ], "description": "libexpat before 2.8.0 uses insufficient entropy, and thus hash flooding can occur via a crafted XML document.", "published": "2026-04-16T17:16:54Z", "updated": "2026-04-27T07:16:03Z", "recommendation": "Update to an AUTOSAR Platform Integration Toolkit release that does not include the vulnerable version of this third-party software.", "analysis": { "state": "exploitable", "detail": "AUTOSAR Platform Integration Toolkit is affected by product issue APIT-481, which has a maximum CVSS 3.1 score of 3.3.", "firstIssued": "2026-05-05T10:14:42Z", "lastUpdated": "2026-05-05T10:14:42Z" }, "affects": [ { "ref": "AUTOSAR Toolkit" } ], "properties": [ { "name": "rti_id", "value": "THIRDPARTY-588" }, { "name": "xray_id", "value": "XRAY-970039" }, { "name": "rti_vulnerability_id", "value": "APIT-481" } ] } ] }