Skip to main content

Sparx Pro Cloud Server EUVDEUVD-2026-30932

| CVE-2026-42100 HIGH
Improper Handling of Syntactically Invalid Structure (CWE-228)
2026-05-19 CERT-PL GHSA-r2pf-hp27-79jw
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 14:32 vuln.today

DescriptionCVE.org

Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

AnalysisAI

Denial of service in Sparx Systems Pro Cloud Server 6.1 (build 167) and earlier allows authenticated remote attackers to crash the service by submitting a specially crafted SQL query that the server fails to parse safely. The flaw, reported by CERT-PL, results in unexpected termination of the Pro Cloud Server process, and no public exploit identified at time of analysis. The vendor did not respond to disclosure, so the full vulnerable version range remains unconfirmed.

Technical ContextAI

Pro Cloud Server is the back-end service from Sparx Systems that brokers model repository access for Enterprise Architect clients, exposing SQL-style query interfaces over the network for collaborative modeling, version control, and integration with external data stores. The root cause is classified as CWE-228 (Improper Handling of Syntactically Invalid Structure): the server's query parser does not gracefully reject malformed SQL, instead propagating the parsing error into an unhandled exception path that terminates the service process. The CPE cpe:2.3:a:sparx_systems:pro_cloud_server:*:*:*:*:*:*:*:* covers all builds of the product, while EUVD-2026-30932 narrows confirmed exposure to versions up to and including 6.1.

RemediationAI

No vendor-released patch identified at time of analysis, as Sparx Systems did not respond to CERT-PL's disclosure with fix or version information; administrators should monitor https://sparxsystems.com/products/procloudserver/ and the CERT-PL advisory at https://cert.pl/en/posts/2026/05/CVE-2026-42096 for an updated build and contact Sparx support directly to confirm whether builds above 6.1 (build 167) include a fix. As compensating controls, restrict network reachability of the Pro Cloud Server listener to trusted modeler subnets via firewall ACLs or VPN-only access (trade-off: blocks legitimate remote modelers and integration clients), tighten authentication and remove low-privilege accounts that are not strictly required for repository access (trade-off: reduces who can collaborate), enable process supervision or a watchdog to automatically restart the service after termination to limit downtime (trade-off: does not prevent repeated crashes), and increase logging/alerting on Pro Cloud Server crashes and malformed-query errors so abuse is detected quickly. Additional technical detail and PoC context can be cross-checked at https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html and https://efigo.pl/blog/CVE-2026-42096/.

Share

EUVD-2026-30932 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy