CVE-2026-42547
Privilege Escalation in IRIS Web Platform
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the IRIS web collaborative platform versions prior to 2.4.28. It allows users to create alerts for customers who are not assigned to them. This flaw can be exploited to falsely attribute fake alerts to other customers. Additionally, when combined with Cross-Site Scripting (XSS), it can be used to exfiltrate alerts belonging to other customers.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized creation of fake alerts attributed to other customers, potentially causing misinformation or confusion. Furthermore, if combined with Cross-Site Scripting, it can result in the unauthorized disclosure of sensitive alert information from other customers, compromising confidentiality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade IRIS to version 2.4.28 or later, as this version contains the patch that fixes the issue.