SQL Injection Vulnerability in Sparx Pro Cloud Server
CVE-2026-42097

9.3CRITICAL

Key Information:

Vendor

Sparx Systems

Status
Pro Cloud Server
Vendor
CVE Published:
19 May 2026

What is CVE-2026-42097?

Sparx Pro Cloud Server contains a vulnerability that enables an attacker to execute SQL queries without proper authentication. By omitting the 'model' query parameter and including the model name solely in the binary blob of a POST request, unauthorized users may leverage this flaw to interact with the database. While the vendor has been made aware of this issue, details on the vulnerable versions beyond the tested version 6.1 (build 167) are not publicly disclosed, and other versions may also be affected. Organizations using this product should evaluate their security posture and consider immediate remediation steps.

Affected Version(s)

Pro Cloud Server 0 <= 6.1

References

https://cert.pl/en/posts/2026/05/CVE-2026-42096
third-party-advisory
https://sparxsystems.com/products/procloudserver/
product
https://sploit.tech/2026/05/19/Sparx-Enterprise-Architect...
technical-description

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Blazej Adamczyk (br0x) - Efigo
.