CVE-2026-42540
Privilege Escalation in IRIS Web Platform
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| iris | iris | to 2.4.28 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade IRIS to version 2.4.28 or later, as this version contains the patch that fixes the issue.
Can you explain this vulnerability to me?
This vulnerability exists in the IRIS web collaborative platform, which is used by incident responders to share technical details during investigations. In versions prior to 2.4.28, a user can manipulate API requests to alter values in the database improperly. This means that unauthorized changes to stored data can be made through crafted API calls. The issue was fixed in version 2.4.28.
How can this vulnerability impact me? :
The vulnerability allows a user with some level of privileges to alter database values via manipulated API requests. This can lead to integrity issues where data may be changed without proper authorization. Although it does not impact confidentiality or availability, the integrity loss could affect the reliability of the information stored and shared within the IRIS platform.