Description
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.
Published: 2026-06-04
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

IRIS is a web collaborative platform for incident responders. A defect in versions before 2.4.28 allows the application to return sensitive data that is not needed by the client. This excessive data exposure can lead to unintended disclosure of confidential information. The weakness maps to CWE‑201, which is a data privacy and exposure issue.

Affected Systems

The vulnerability affects the IRIS Web component produced by dfir‑iris. All installations running a version earlier than 2.4.28 are impacted; the fix is integrated in version 2.4.28.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS data is available, and the vulnerability is not yet in the CISA KEV catalog. An attacker with access to the normal web interface can trigger the erroneous data exposure, potentially compromising confidentiality. Prompt patching reduces the risk of accidental data leakage.

Generated by OpenCVE AI on June 4, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade IRIS Web to version 2.4.28 or later.
  • Restrict network access to the IRIS Web instance so only authorized responders can communicate with it.
  • Implement least‑privilege data handling to ensure clients receive only the data needed for their operations.

Generated by OpenCVE AI on June 4, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Dfir-iris
Dfir-iris iris
Vendors & Products Dfir-iris
Dfir-iris iris

Thu, 04 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.
Title IRIS has an Excessive Data Exposure issue
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Dfir-iris Iris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T21:36:15.404Z

Reserved: 2026-04-28T16:56:50.190Z

Link: CVE-2026-42539

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T22:16:53.370

Modified: 2026-06-04T22:16:53.370

Link: CVE-2026-42539

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:30:30Z

Weaknesses