CVE-2026-42539 | IRIS is a web collaborative platform that helps incident res… | CVSS 6.5 MEDIUM

Description

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.

Metadata

CVE ID: CVE-2026-42539
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-04-28 16:56 UTC
Published: 2026-06-04 20:54 UTC
Last updated: 2026-06-08 16:40 UTC
Primary CWE: CWE-201
CWE-201: Insertion of Sensitive Information Into Sent Data
Vendor / Product: dfir-iris / iris-web
Sources: cve.org · NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
dfir-iris	iris-web	—	< 2.4.28

Weakness (CWE)

CWE	Source	Description
CWE-201	cna	CWE-201: Insertion of Sensitive Information Into Sent Data

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.5	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (1)

https://github.com/dfir-iris/iris-web/security/advisories/GHSA-g588-5gmf-p5cx https://github.com/dfir-iris/iris-web/security/advisories/GHSA-g588-5gmf-p5cx