CVE-2026-42538
IRIS Platform Unrestricted File Upload Leading to XSS
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iris | iris | to 2.4.28 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the IRIS web collaborative platform versions prior to 2.4.28, where the application does not properly validate uploaded files.
This improper validation allows attackers to misuse the platform to host phishing pages and also leads to a Cross-Site Scripting (XSS) vulnerability.
Version 2.4.28 of IRIS contains a patch that fixes this issue.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to host phishing pages on the IRIS platform, potentially deceiving users into providing sensitive information.
Additionally, the Cross-Site Scripting (XSS) vulnerability can be exploited to execute malicious scripts in users' browsers, which may lead to data theft or session hijacking.
The CVSS score of 6.3 indicates a medium severity with high confidentiality impact and low integrity impact.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade IRIS to version 2.4.28 or later, as this version contains the patch that properly validates uploaded files and addresses the Cross-Site Scripting (XSS) vulnerability.