Skip to main content

Sparx Pro Cloud Server CVE-2026-42099

| EUVDEUVD-2026-30929 HIGH
Race Condition (CWE-362)
2026-05-19 CERT-PL GHSA-qff4-m3j5-xcv5
7.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 14:31 vuln.today

DescriptionCVE.org

Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

Remote code execution in Sparx Systems Pro Cloud Server (versions 0 through 6.1 build 167) is achievable by authenticated repository users via a race condition in the /data_api/dl_internal_artifact.php endpoint. An attacker who controls both the filename and contents of a downloaded artifact can briefly stage a malicious PHP file in the web root and execute it before cleanup, leading to full server compromise. No public exploit identified at time of analysis, but a detailed technical write-up published by CERT-PL and sploit.tech reduces the barrier to reproduction.

Technical ContextAI

The vulnerability resides in a PHP-based artifact download handler in Sparx Pro Cloud Server, a collaborative repository backend for Sparx Enterprise Architect modeling tools (CPE: cpe:2.3:a:sparx_systems:pro_cloud_server). The endpoint dl_internal_artifact.php fetches an object identified by the guid parameter and writes its contents to __DIR__ (the current script directory inside the web-accessible PHP application) using an attacker-controlled filename. The root cause is CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization, aka TOCTOU): the write-then-delete sequence is not atomic with respect to concurrent HTTP requests, leaving a window where the file is present and executable by the PHP interpreter. Because the file lands inside a PHP-served directory rather than an isolated quarantine path, any window of exposure becomes code-execution-capable.

RemediationAI

No vendor-released patch identified at time of analysis - Sparx Systems did not respond to coordinated disclosure by CERT-PL, so administrators should contact the vendor directly for a fixed build and monitor https://sparxsystems.com/products/procloudserver/ for updates. As compensating controls, restrict network access to /data_api/dl_internal_artifact.php at a reverse proxy or WAF layer so that only trusted client IPs can reach it (side effect: may break legitimate remote Enterprise Architect clients that need the artifact API); tighten repository account provisioning and audit who currently holds repository access, since exploitation requires PR:L; and where feasible, configure the PHP runtime or web server to deny execution of .php files written to artifact-handling directories (side effect: may break legitimate features that rely on dynamic PHP in those paths). Refer to the technical advisories at https://cert.pl/en/posts/2026/05/CVE-2026-42096, https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html, and https://efigo.pl/blog/CVE-2026-42096/ for detection guidance.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-42099 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy