CVE-2026-42538
Deferred Deferred - Pending Action

IRIS Platform Unrestricted File Upload Leading to XSS

Vulnerability report for CVE-2026-42538, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-04

Last updated on: 2026-06-05

Assigner: GitHub, Inc.

Description

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 do not properly validate uploaded files. The application can therefore be misused to host phishing pages, amongst other things. This also creates another instance of a Cross-Site Scripting (XSS) vulnerability. Version 2.4.28 contains a patch.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-04
Last Modified
2026-06-05
Generated
2026-07-16
AI Q&A
2026-06-05
EPSS Evaluated
2026-07-15
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
iris iris to 2.4.28 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to upload malicious files that can be used for phishing and Cross-Site Scripting (XSS) attacks, potentially leading to credential theft and unauthorized access to sensitive information.

Such security weaknesses can undermine compliance with common standards and regulations like GDPR and HIPAA, which require organizations to protect personal and sensitive data from unauthorized access and breaches.

Failure to properly validate uploaded files and prevent hosting of malicious content could result in data breaches or misuse of the platform, thereby increasing the risk of non-compliance with these regulations.

Detection Guidance

This vulnerability involves insecure file uploads allowing malicious files such as HTML or JavaScript to be hosted on the IRIS web application server. Detection involves identifying potentially malicious uploaded files that bypass proper validation.

To detect this on your system, you should scan the directories or storage locations where uploaded files are kept for suspicious file types or content, especially HTML files or files containing JavaScript code.

Suggested commands to help detect potentially malicious uploads include:

  • Find all HTML files in the upload directory (replace /path/to/uploads with actual path): find /path/to/uploads -type f -iname "*.html"
  • Search for JavaScript code inside uploaded files: grep -r --include="*.html" "<script" /path/to/uploads
  • Check for files with suspicious MIME types or extensions that should not be allowed.

Additionally, review web server logs for unusual requests to uploaded files that might indicate phishing or XSS exploitation attempts.

It is also recommended to verify the IRIS application version and update to 2.4.28 or later to apply the patch.

Executive Summary

The vulnerability exists in the IRIS web collaborative platform versions prior to 2.4.28, where the application does not properly validate uploaded files.

This improper validation allows attackers to misuse the platform to host phishing pages and also leads to a Cross-Site Scripting (XSS) vulnerability.

Version 2.4.28 of IRIS contains a patch that fixes this issue.

Impact Analysis

This vulnerability can impact you by allowing attackers to host phishing pages on the IRIS platform, potentially deceiving users into providing sensitive information.

Additionally, the Cross-Site Scripting (XSS) vulnerability can be exploited to execute malicious scripts in users' browsers, which may lead to data theft or session hijacking.

The CVSS score of 6.3 indicates a medium severity with high confidentiality impact and low integrity impact.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade IRIS to version 2.4.28 or later, as this version contains the patch that properly validates uploaded files and addresses the Cross-Site Scripting (XSS) vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42538. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart