VYPR
Vendor

Sparx Systems Pty Ltd.

Products
2
CVEs
13
Across products
13
Status
Private

Products

2

Recent CVEs

13
  • CVE-2025-15625CriApr 17, 2026
    risk 0.64cvss 9.8epss 0.00

    Unauthenticated user is able to execute arbitrary SQL commands in Sparx Pro Cloud Server database in certain cases.

  • CVE-2026-42098HigMay 19, 2026
    risk 0.57cvss epss 0.00

    Sparx Enterprise Architect software has a security feature that limits user's actions to those specified in the role. An authenticated attacker can modify the Enterprise Architect client behavior (e.g. using a debugger) and log in as any other user or administrator - then it is…

  • CVE-2026-42097HigMay 19, 2026
    risk 0.57cvss 8.8epss 0.01

    Sparx Pro Cloud Server requires authentication based on requested URL. An attacker can omit the "model" query parameter and send the model name only in the binary blob in POST request allowing SQL query execution without authentication. The vendor was notified early about…

  • CVE-2026-42096HigMay 19, 2026
    risk 0.57cvss 8.8epss 0.01

    Sparx Pro Cloud Server is vulnerable to Broken Access Control within communication with the database. Due to lack of permission checks, any low privileged user can run arbitrary SQL queries within database user context. The vendor was notified early about this vulnerability,…

  • CVE-2025-4377HigMay 9, 2025
    risk 0.54cvss epss 0.01

    Improper Limitation of a Pathname caused a Path Traversal vulnerability in Sparx Systems Pro Cloud Server. This vulnerability is present in logview.php and it allows reading arbitrary files on the filesystem.  Logview is accessible on Pro Cloud Server Configuration interface.…

  • CVE-2026-42100HigMay 19, 2026
    risk 0.49cvss 7.5epss 0.01

    Improper Handling of Syntactically Invalid Structure in Sparx Pro Cloud Server allows Denial of Service (DoS) attack to be executed by sending an specially crafted SQL query. This causes the Pro Cloud Server service to terminate unexpectedly.  The vendor was notified early…

  • CVE-2026-42099HigMay 19, 2026
    risk 0.49cvss 7.5epss 0.01

    Sparx Pro Cloud Server is vulnerable to a Race Condition in the /data_api/dl_internal_artifact.php endpoint. The application downloads the properties of the object pointed by guid parameter and saves loaded content in current location (__DIR__) under the specified name. An…

  • CVE-2025-15624HigApr 17, 2026
    risk 0.49cvss 7.5epss 0.00

    Plaintext Storage of a Password vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server.  In a setup where OpenID is used as the primary method of authentication to authenticate to Sparx EA, Pro Cloud Server creates local passwords to the users and stores them in…

  • CVE-2025-15623HigApr 17, 2026
    risk 0.49cvss 7.5epss 0.00

    Exposure of Private Personal Information to an Unauthorized Actor, : Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Sparx Systems Pty Ltd. Sparx Pro Cloud Server. Unauthenticated user can retrieve database password in plaintext in…

  • CVE-2025-4375MedMay 9, 2025
    risk 0.45cvss epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in Sparx Systems Pro Cloud Server allows Cross-Site Request Forgery to perform Session Hijacking. Cross-Site Request Forgery is present at the whole application but it can be used to change the Pro Cloud Server Configuration…

  • CVE-2025-15622MedApr 17, 2026
    risk 0.40cvss epss 0.00

    Insufficiently Protected Credentials vulnerability in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client reveals plaintext OAuth2 client secretDesktop client decodes the secret and uses the plaintext secret to exchange it into an access and id tokens as part of the…

  • CVE-2025-15621MedApr 16, 2026
    risk 0.37cvss epss 0.00

    Insufficiently Protected Credentials in Sparx Systems Pty Ltd. Sparx Enterprise Architect. Client does not verify the receiver of OAuth2 credentials during OpenID authentication

  • CVE-2025-4376MedMay 9, 2025
    risk 0.34cvss epss 0.01

    Improper Input Validation vulnerability in Sparx Systems Pro Cloud Server's WebEA model search field allows Cross-Site Scripting (XSS). This issue affects Pro Cloud Server: earlier than 6.0.165.