CVE-2026-42099 Sparx Systems CVE debrief

Who should care

Administrators and security teams running Sparx Pro Cloud Server, especially where users have repository access or the server is reachable over networks where timing-based races could be exercised. Incident responders should also care if they see unexpected PHP files or web-execution activity in the product’s working directories.

Technical summary

The issue is classified in the supplied NVD-enriched data as CWE-362 (race condition). The vulnerable endpoint downloads artifact properties using a guid parameter, saves loaded content into __DIR__ under a specified name, and then removes the file after processing. If response transmission is delayed, the file can remain available long enough for another request to execute it as PHP. The supplied record lists CVSS v4.0 vector elements consistent with network exploitation requiring low privileges and no user interaction, with high impacts to confidentiality, integrity, and availability.

Defensive priority

High priority. Treat as a potentially serious RCE risk for any deployment that exposes the affected endpoint to authenticated users with repository access. Because the exact vulnerable version range is not confirmed in the supplied corpus, validation and compensating controls should not wait for a broader confirmation.

Recommended defensive actions

• Review whether Sparx Pro Cloud Server is deployed and whether any users have repository access that could reach the affected endpoint.
• Upgrade or patch to a vendor-confirmed fixed release once one is available; until then, verify current product guidance from the vendor and NVD.
• Restrict access to the Pro Cloud Server interfaces and repository functions to the minimum required users and networks.
• Monitor the product’s working directories for unexpected PHP files or other executable artifacts.
• Inspect web server and application logs for unusual requests to /data_api/dl_internal_artifact.php or repeated access patterns that suggest timing abuse.
• Apply compensating controls such as tighter authentication, network segmentation, and file-execution restrictions in directories used by the application.
• If exposure is suspected, treat the server as potentially compromised and perform a focused review for web shell activity and unauthorized code execution.

Evidence notes

Based only on the supplied NVD record and the referenced CERT.PL / vendor / researcher sources. The record cites CWE-362 and describes a race condition at /data_api/dl_internal_artifact.php. The supplied corpus states that version 6.1 (build 167) and below were tested and confirmed vulnerable, while other versions were not tested. Vendor attribution in the source item is not fully resolved, so broader version assumptions should be avoided.

Official resources