ctipilot.ch

Home · Live brief · Weekly 2026-W21

CVE-2026-42096 … -42100 — Sparx Enterprise Architect / Pro Cloud Server: five-CVE pre-auth chain, public PoC, no patch

notable vulnerability discovered 2026-05-18 05:00 UTC

Entities: Sparx Enterprise Architect / Pro Cloud Server

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

CERT Polska coordinated disclosure of five Sparx Systems vulnerabilities (CVE-2026-42096 … -42100), chaining pre-auth SQL injection with a WebEA race-condition to reach RCE; a researcher PoC is public and no vendor patch exists. Sparx EA / Pro Cloud Server is widely used as a modelling and enterprise-architecture repository in Swiss and EU public-administration and university environments, so the CH/education exposure is real. With no patch available, restrict Pro Cloud Server to authenticated VPN reach and monitor WebEA endpoints for the injection patterns CERT-PL documents.

vulnerabilities pre-auth rce auth-bypass poc-public no-patch switzerland europe global CVE-2026-42096 CVE-2026-42097 CVE-2026-42098 CVE-2026-42099 CVE-2026-42100