IRIS has an Insecure File Upload_CVE-2026-42538

6.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Description

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 do not properly validate uploaded files. The application can therefore be misused to host phishing pages, amongst other things. This also creates another instance of a Cross-Site Scripting (XSS) vulnerability. Version 2.4.28 contains a patch.

Basic Information

ID CVE-2026-42538

Source GitHub_M

Published Jun 4, 2026 at 20:48

Affected Product

Vendor dfir-iris

Product iris-web

Version < 2.4.28

Affected Versions dfir-iris iris-web < 2.4.28

CWE Classification

CWE-434

References

github.com /dfir-iris/iris-web/security/advisories/GHSA-m624-7744-2mhf

{
    "lastseen": "",
    "description": "IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 do not properly validate uploaded files. The application can therefore be misused to host phishing pages, amongst other things. This also creates another instance of a Cross-Site Scripting (XSS) vulnerability. Version 2.4.28 contains a patch.",
    "published": "2026-06-04T20:48:58.466Z",
    "modified": "2026-06-04T20:48:58.466Z",
    "type": "cve",
    "title": "IRIS has an Insecure File Upload",
    "source": "GitHub_M",
    "references": "https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m624-7744-2mhf",
    "id": "CVE-2026-42538",
    "bulletinFamily": "",
    "cwe": [
        "CWE-434"
    ],
    "cvelist": null,
    "sourceData": "dfir-iris iris-web < 2.4.28",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "iris-web",
    "version": "< 2.4.28",
    "vendor": "dfir-iris",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}