Severity by source
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
AnalysisAI
Remote code execution in Sparx Systems Pro Cloud Server (versions 0 through 6.1 build 167) is achievable by authenticated repository users via a race condition in the /data_api/dl_internal_artifact.php endpoint. An attacker who controls both the filename and contents of a downloaded artifact can briefly stage a malicious PHP file in the web root and execute it before cleanup, leading to full server compromise. No public exploit identified at time of analysis, but a detailed technical write-up published by CERT-PL and sploit.tech reduces the barrier to reproduction.
Technical ContextAI
The vulnerability resides in a PHP-based artifact download handler in Sparx Pro Cloud Server, a collaborative repository backend for Sparx Enterprise Architect modeling tools (CPE: cpe:2.3:a:sparx_systems:pro_cloud_server). The endpoint dl_internal_artifact.php fetches an object identified by the guid parameter and writes its contents to __DIR__ (the current script directory inside the web-accessible PHP application) using an attacker-controlled filename. The root cause is CWE-362 (Concurrent Execution Using Shared Resource with Improper Synchronization, aka TOCTOU): the write-then-delete sequence is not atomic with respect to concurrent HTTP requests, leaving a window where the file is present and executable by the PHP interpreter. Because the file lands inside a PHP-served directory rather than an isolated quarantine path, any window of exposure becomes code-execution-capable.
RemediationAI
No vendor-released patch identified at time of analysis - Sparx Systems did not respond to coordinated disclosure by CERT-PL, so administrators should contact the vendor directly for a fixed build and monitor https://sparxsystems.com/products/procloudserver/ for updates. As compensating controls, restrict network access to /data_api/dl_internal_artifact.php at a reverse proxy or WAF layer so that only trusted client IPs can reach it (side effect: may break legitimate remote Enterprise Architect clients that need the artifact API); tighten repository account provisioning and audit who currently holds repository access, since exploitation requires PR:L; and where feasible, configure the PHP runtime or web server to deny execution of .php files written to artifact-handling directories (side effect: may break legitimate features that rely on dynamic PHP in those paths). Refer to the technical advisories at https://cert.pl/en/posts/2026/05/CVE-2026-42096, https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html, and https://efigo.pl/blog/CVE-2026-42096/ for detection guidance.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-362 – Race Condition
View allSame technique Race Condition
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30929
GHSA-qff4-m3j5-xcv5