CVE-2026-42096 … -42100 — Sparx Enterprise Architect / Pro Cloud Server: five-CVE pre-auth chain, public PoC, no patch

CERT Polska coordinated disclosure of five Sparx Systems vulnerabilities (CVE-2026-42096 … -42100), chaining pre-auth SQL injection with a WebEA race-condition to reach RCE; a researcher PoC is public and no vendor patch exists. Sparx EA / Pro Cloud Server is widely used as a modelling and enterprise-architecture repository in Swiss and EU public-administration and university environments, so the CH/education exposure is real. With no patch available, restrict Pro Cloud Server to authenticated VPN reach and monitor WebEA endpoints for the injection patterns CERT-PL documents.