cvedb.io
CVE-2026-42099
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-05-19T14:16:42.630 · Last modified 2026-06-17T10:47:25.950

Summary

Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if the response transmission is delayed (e.g., via a large file or slow client connection), the file remains accessible. During this window, the attacker can issue a second request to execute the malicious PHP file, resulting in remote code execution. The vendor was notified early about this vu

Affected products

sparxsystems — pro_cloud_server

Does this affect you?

Add your gear to cvedb and we'll alert you only when sparxsystems ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.