Race condition in Sparx Pro Cloud Server - CVE-2026-42099
Published: May 27, 2026
Vulnerability identifier: #VU132372
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-42099
CWE-ID: CWE-362
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Sparx Systems
Affected software:
Sparx Pro Cloud Server
Sparx Pro Cloud Server
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to a race condition in the WebEA /data_api/dl_internal_artifact.php endpoint when downloading internal artifacts to a web-accessible temporary file. A remote user can inject a malicious PHP file into the repository and trigger concurrent requests to execute arbitrary code.
Exploitation requires Pro Cloud Server to be configured with the WebEA php application.
How to mitigate CVE-2026-42099
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.