Home · Live brief · Weekly 2026-W21
CVE-2026-42096 … -42100 — Sparx Enterprise Architect / Pro Cloud Server: five-CVE pre-auth chain, public PoC, no patch
notable vulnerability discovered 2026-05-18 05:00 UTC
Entities: Sparx Enterprise Architect / Pro Cloud Server
Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)
CERT Polska coordinated disclosure of five Sparx Systems vulnerabilities (CVE-2026-42096 … -42100), chaining pre-auth SQL injection with a WebEA race-condition to reach RCE; a researcher PoC is public and no vendor patch exists. Sparx EA / Pro Cloud Server is widely used as a modelling and enterprise-architecture repository in Swiss and EU public-administration and university environments, so the CH/education exposure is real. With no patch available, restrict Pro Cloud Server to authenticated VPN reach and monitor WebEA endpoints for the injection patterns CERT-PL documents.