CVE-2026-42097

Name of the Vulnerable Software and Affected Versions Sparx Pro Cloud Server versions 6.1 (build 167) and earlier

Description Authentication is required based on the requested URL. An attacker can bypass this check by omitting the model query parameter and providing the model name only within the binary blob of a POST request, which allows for unauthenticated SQL query execution. This may lead to unauthorized database access and data manipulation.

Recommendations Restrict external exposure of the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.