CVE-2026-42099

Name of the Vulnerable Software and Affected Versions Sparx Pro Cloud Server versions 6.1 (build 167) and earlier

Description A race condition exists in the '/data api/dl internal artifact.php' endpoint. The application downloads object properties based on the guid parameter and saves the content in the current directory (DIR). An attacker with repository access can control the filename and content to create a malicious PHP file. While the file is deleted after processing, a delay in response transmission allows a window where the file remains accessible, enabling a second request to execute the file and achieve remote code execution.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.