Description
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 are vulnerable to a cross-site request forgery attack, because they use the HTTP method `GET` to change state on the server. Version 2.4.28 contains a patch.
Published: 2026-06-04
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises because IRIS Web uses the HTTP GET method to perform actions that alter state on the server. This allows an attacker to construct a forged GET request that, when executed by a victim's authenticated browser, will change system state without the victim's consent. The primary impact is that an attacker can perform unauthorized state-changing operations such as modifying configuration settings or initiating data exports, compromising integrity and potentially leading to further exploitation.

Affected Systems

The affected product is the IRIS Web collaboration platform developed by dfir-iris. Versions earlier than 2.4.28 are vulnerable, while version 2.4.28 contains a fix. All deployments running a pre‑2.4.28 release are susceptible.

Risk and Exploitability

The CVSS score of 4.3 indicates a medium severity vulnerability. No EPSS data is available, and the issue is not listed in CISA's KEV catalog. The likely attack vector is a web browser; an attacker can lure a logged‑in user to a malicious site that triggers the forged GET request, which the browser will submit automatically. No additional privileges are required beyond the victim’s authenticated session.

Generated by OpenCVE AI on June 4, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade IRIS Web to version 2.4.28 or later.
  • Ensure that all state-changing operations use POST or other non-GET HTTP methods.
  • Add CSRF tokens to all forms and endpoints that modify state to prevent forged requests.

Generated by OpenCVE AI on June 4, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Dfir-iris
Dfir-iris iris
Vendors & Products Dfir-iris
Dfir-iris iris

Thu, 04 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
References

Thu, 04 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 are vulnerable to a cross-site request forgery attack, because they use the HTTP method `GET` to change state on the server. Version 2.4.28 contains a patch.
Title IRIS has a Cross-Site Request Forgery (CSRF) issue
Weaknesses CWE-650
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Dfir-iris Iris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T21:36:17.209Z

Reserved: 2026-04-28T16:56:50.190Z

Link: CVE-2026-42543

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T22:16:53.737

Modified: 2026-06-04T22:16:53.737

Link: CVE-2026-42543

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T07:30:30Z

Weaknesses