CVE-2026-42538: IRIS File Upload & XSS Vulnerability – Patch to 2.4.28
IRIS is a collaborative platform designed to help incident responders coordinate during security investigations by sharing technical findings. A file validation flaw in versions before 2.4.28 allows authenticated users to upload files without proper checks. This can enable attackers to host malicious content—such as phishing pages—directly within the platform, and also introduces a Cross-Site Scripting (XSS) vulnerability that could compromise other users' sessions or steal credentials when they interact with uploaded files.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-434
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 do not properly validate uploaded files. The application can therefore be misused to host phishing pages, amongst other things. This also creates another instance of a Cross-Site Scripting (XSS) vulnerability. Version 2.4.28 contains a patch.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42538 stems from insufficient input validation on file uploads in IRIS prior to version 2.4.28. The vulnerability is classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw permits authenticated users to upload files that bypass content-type and extension checks, allowing arbitrary hosted content including HTML/JavaScript payloads. When other users access these uploads, the browser executes client-side code in the security context of the IRIS domain, enabling session hijacking, credential theft, or lateral reconnaissance within the incident response workflow.
Business impact
A compromised IRIS instance becomes a vector for internal phishing campaigns targeting incident responders—a high-value subset of security staff. Attackers with valid credentials (or who obtain them via the XSS) can inject malicious pages into shared incident investigations, potentially harvesting credentials or redirecting responders to credential-harvesting sites. This undermines the integrity of incident response investigations and could expose sensitive details discussed during collaborative analysis. For organizations using IRIS as a central hub for breach coordination, this vulnerability poses a reputational and operational risk.
Affected systems
IRIS versions prior to 2.4.28 are vulnerable. The vendors_products field is empty in the source data, so verification that IRIS is the sole affected product is recommended. Deployed instances of IRIS in any environment—on-premises or cloud-hosted—used for incident response coordination are at risk if running unpatched versions.
Exploitability
Exploitation requires valid IRIS credentials (PR:L in the CVSS vector), placing this threat primarily in the insider or compromised-account category. However, an attacker with read-level access can upload a malicious file and then socially engineer or trick a higher-privileged responder into opening it, triggering the XSS. The attack surface is limited by authentication, but internal threats or credential compromise make this practical. No CISA KEV entry currently exists for this CVE.
Remediation
Upgrade IRIS to version 2.4.28 or later, which contains the patch. Before patching, restrict file upload permissions to trusted personnel and monitor uploaded files for suspicious content. Implement Content-Security-Policy (CSP) headers to mitigate XSS impact across the platform. Review audit logs for unauthorized file uploads or XSS-like payloads in recent commits.
Patch guidance
Apply version 2.4.28 as the minimum remediation. Verify the patch release notes against the official IRIS repository or vendor advisory to confirm all file validation improvements are included. Coordinate patching during a maintenance window to avoid disrupting active incident response activities. Test in a staging environment first to ensure compatibility with existing workflows and plugins.
Detection guidance
Monitor IRIS file uploads for suspicious patterns: files with double extensions (e.g., .php.txt), executable content in text fields, or HTML/JavaScript payloads in non-media uploads. Query audit logs for uploads by low-privilege accounts followed by access from unexpected IP addresses or user agents. Enable SIEM integration to alert on XSS-like payloads in file metadata or content. Browser-side detection includes monitoring for unexpected redirects or credential prompts when opening IRIS attachments.
Why prioritize this
Although the CVSS score is 6.3 (Medium), the context elevates urgency: IRIS is used by incident responders during active investigations, making it a high-value target. An insider or compromised account can poison shared incident data, compromising the integrity of security investigations. The combination of XSS and hosting malicious content creates a compounding risk. Organizations managing active breaches should prioritize patching to prevent attackers from sabotaging investigation efforts.
Risk score, explained
CVSS 6.3 reflects the need for authentication (PR:L) and user interaction (UI:R) to trigger the XSS, limiting immediate impact. However, the High confidentiality impact (C:H) and the narrow, high-value user base of incident responders mean the actual organizational risk may exceed the numeric score. The Medium severity is appropriate for environments with robust access controls; however, environments with credential reuse or lax access governance should treat this as High priority.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The CVSS vector requires PR:L (low privilege), meaning valid IRIS credentials are necessary. However, attackers may obtain credentials through phishing, credential stuffing, or insider threats, making this practically exploitable in real-world scenarios.
What versions of IRIS are vulnerable?
All versions prior to 2.4.28 are affected. Verify your installed version in the IRIS administration panel and upgrade immediately if running an earlier release.
Does IRIS have backup or recovery mechanisms if a user opens a malicious file?
IRIS does not have built-in recovery from XSS attacks. Mitigation relies on password resets for affected user accounts and review of their session activity during the incident. Deploy CSP headers to limit JavaScript execution scope as a preventive measure.
Is there a workaround if we cannot patch immediately?
Temporarily restrict file uploads to administrative users only, and disable file sharing between teams until the patch is deployed. Implement a WAF rule to block uploads with suspicious content signatures. However, these are temporary measures and should not delay patching.
This analysis is based on the CVE record and description provided. Specific version numbers, patch availability, and vendor statements should be verified directly with IRIS maintainers or the official advisory before remediation actions. CVSS scores reflect base metrics only and do not account for organizational context, network segmentation, or compensating controls. No exploit code has been created or distributed; this guidance is for defensive purposes only. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10806MEDIUMUnrestricted File Upload in mjperpinosa stumasy
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler
- CVE-2018-25388HIGHHaPe PKH 1.1 Arbitrary File Upload Vulnerability (CVSS 8.8)
- CVE-2018-25409HIGHSIM-PKH 2.4.1 Arbitrary File Upload Leading to Remote Code Execution
- CVE-2026-10072HIGHDreamMaker Arbitrary File Upload RCE Vulnerability
- CVE-2026-30761HIGHSourceBans Material Admin Arbitrary File Upload RCE Vulnerability