Where does the CPE for CVE-2026-47838 come from

[marcelstoer]

The ODC report for CVE-2026-47838 reports that it got the following CPE from OSS Index

cpe:2.3:a:org.springframework.security:spring-security-web:6.5.11:*:*:*:*:*:*:*

Yet, neither the GUI at https://guide.sonatype.com/vulnerability/CVE-2026-47838 nor the OSS Index JSON report contain any CPE. I didn't find any other source that has a CPE for this CVE. Hence, where did ODC really get it from?

It wouldn't really bother me if the CPE were correct. However, CVE-2026-47838 was fixed with Spring Security 6.5.11 (CPE should state spring-security-web:6.5.**10**).

[chadlwilson]

CPEs are an identifier for a product like a PURL, but they are only used for NVD matching and de-duplication to my knowledge. I suspect that the report is perhaps just misleading here in highlighting the CPE as the canonical software identifier, maybe a side effect of ODC's CPE/NVD history.

The vuln is definitely coming from OssIndex/Sonatype Guide, which means it’s being matched by PURL. So the question is whether it's being returned incorrectly by Guide or whether ODC is sending the wrong PURL.

I have noticed quite a lot of churn in recently weeks in Guide data as they fix/correct/review the affected versions on various spring vulns so if you're caching data you might want to sanity check with an empty cache. If it's still there then, if you run with debug logging you can see PURLs is sending to Guide and see if that at least looks correct.

[chadlwilson]

@marcelstoer Sorry, when you say it should be spring-security-web:6.5.10 where are you getting this from? Can you share the file name, PURLs and evidence section? Which version are you actually using?

The version attempting to be reported here is the vulnerable software version, so if your version is detected as 6.5.11 and it thinks 6.5.11 is affected then that CPE isn't the problem (directly) - however I have seen some incorrect logic here where it takes the wrong affected version from upstream data sources (I have only seen it for nodeAudit analyzers though) so it's possible.

[marcelstoer]

I'm using 6.5.11 which Spring confirms is not vulnerable to CVE-2026-47838. This is consistent with the CVE description (NVD & Sonatype and our report).

...6.5.0 through 6.5.10.

(Unfortunately, neither the NVD nor the GHSA document the affected version ranges of this CVE in a structured way.)

[chadlwilson]

I understand it's confusing, but it's intentional that the "believed to be vulnerable" CPE version is displayed there. From the NVD case it's trying to show which actual CPE is the one which matches within NVD's CPE ranges.

To be less confusing, arguably when dealing with OSSIndex/Guide the PURL identifier should be emphasised but this problem is downstream of ODC's original NVD and CPE-specific design.

So the problem here is that 6.5.11 is not vulnerable and so that CVE shouldn't be showing up, not that it's displaying as 6.5.11. The issue is in the OSSIndex data/Sonatype analysis. Indeed, they think this version is vulnerable: https://guide.sonatype.com/component/maven/org.springframework.security%3Aspring-security-web/6.5.11/vulnerabilities

So it's either a difference of opinion, or an FP they need to resolve.