CVE-2026-42538

Published: Jun 4, 2026Modified: Jun 5, 2026Deferred

6.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Exploitability: 2.1 / Impact: 4.2

Source: security-advisories@github.com (Secondary)

Description

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 do not properly validate uploaded files. The application can therefore be misused to host phishing pages, amongst other things. This also creates another instance of a Cross-Site Scripting (XSS) vulnerability. Version 2.4.28 contains a patch.

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (2)

https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m624-7744-2mhf

Source: security-advisories@github.com

http://www.openwall.com/lists/oss-security/2026/05/19/8

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.