CVE-2026-42539 PUBLISHED

IRIS has an Excessive Data Exposure issue

Assigner: GitHub_M
Reserved: 28.04.2026 Published: 04.06.2026 Updated: 04.06.2026

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 6.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	dfir-iris
Product	iris-web
Versions	Version < 2.4.28 is affected

References

https://github.com/dfir-iris/iris-web/security/advisories/GHSA-g588-5gmf-p5cx

Problem Types

CWE-201: Insertion of Sensitive Information Into Sent Data CWE