CVE-2026-42540 MEDIUM

CVE-2026-42540: IRIS has a Mass Assignment issue

Vendor Dfir-Iris
Product iris-web
Weakness CWE-915
Published June 4, 2026
Last update June 5, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 allow a user to alter values in the database via manipulated API requests. Version 2.4.28 contains a patch.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 5, 2026 Record updated