CVE-2026-42099

7.5 HIGH

Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint

Published: 2026-05-19 · Last updated: 2026-06-02

Severity and scoring

CVSS: 7.5 HIGH
Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-362

Affected products

Vendor	Product
sparxsystems	pro_cloud_server

Description

Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-42099
[Other]https://cert.pl/en/posts/2026/05/CVE-2026-42096
[Other]https://efigo.pl/blog/CVE-2026-42096/
[Other]https://sparxsystems.com/products/procloudserver/
[Exploit reference]https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect-PCS.html

Related CVEs

Same vendor

CVE-2026-42100 — Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by se... (7.5 HIGH)
CVE-2026-42097 — Sparx Pro Cloud Server requires authentication based on requested URL (8.8 HIGH)
CVE-2026-42096 — Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database (8.8 HIGH)
CVE-2025-15625 — Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases (9.8 CRITICAL)
CVE-2025-15624 — Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd (7.5 HIGH)

Same CWE

CVE-2026-12022 — Race in Safe Browsing in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process ... (8.3 HIGH)
CVE-2026-46693 — ImageMagick is free and open-source software used for editing and manipulating digital images (4.1 MEDIUM)
CVE-2026-44693 — Pi-hole FTL is the core engine of the Pi-hole network-level advertisement and tracker blocker (8.8 HIGH)
CVE-2022-26758 — A malicious application may cause unexpected changes in memory shared between processes (7.1 HIGH)
CVE-2026-1220 — Race in V8 in Google Chrome prior to 144.0.7559.99 allowed a remote attacker to potentially exploit type confusion via a crafted HTML page (7.5 HIGH)