CVE-2026-42543 MEDIUM

CVE-2026-42543: IRIS has a Cross-Site Request Forgery (CSRF) issue

Vendor Dfir-Iris
Product iris-web
Weakness CWE-650
Published June 4, 2026
Last update June 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 are vulnerable to a cross-site request forgery attack, because they use the HTTP method `GET` to change state on the server. Version 2.4.28 contains a patch.

Key dates

02Disclosure timeline

June 4, 2026 CVE published
June 8, 2026 Record updated