sparxsystems 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk sql injection and パス処理の欠陥 などに関し、一部は ファイル上書き を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-42100 | Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and mi | [email protected] | 7.1 | 0.68% | 2026-05-19 | 2026-06-02 |
| CVE-2026-42099 | Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An attacker with repository access can control both the filename and file contents, allowing the creation of a malicious PHP file in a current directory. Although the file is deleted after processing, a race condition exists: if | [email protected] | 7.7 | 0.62% | 2026-05-19 | 2026-06-02 |
| CVE-2026-42097 | Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might als | [email protected] | 9.3 | 0.94% | 2026-05-19 | 2026-06-02 |
| CVE-2026-42096 | Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.1 (build 167) and below were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | [email protected] | 8.7 | 0.60% | 2026-05-19 | 2026-06-02 |
| CVE-2025-15625 | Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases. | db4dfee8-a97e-4877-bfae-eba6d14a2166 | 9.5 | 0.42% | 2026-04-17 | 2026-06-02 |
| CVE-2025-15624 | Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in plaintext. | db4dfee8-a97e-4877-bfae-eba6d14a2166 | 9.3 | 0.38% | 2026-04-17 | 2026-06-02 |
| CVE-2025-15623 | Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in certain situations | db4dfee8-a97e-4877-bfae-eba6d14a2166 | 9.3 | 0.26% | 2026-04-17 | 2026-06-02 |
| CVE-2022-47072 | SQL injection vulnerability in Enterprise Architect 16.0.1605 32-bit allows attackers to run arbitrary SQL commands via the Find parameter in the Select Classifier dialog box.. | [email protected] | 9.8 | 0.63% | 2024-01-31 | 2025-06-17 |