IRIS Alerts Can be Falsely Attributed to Customers
CVE-2026-42547

5.4MEDIUM

Key Information:

Vendor: Dfir-iris
Status: Iris-web
Vendor: CVE Published:; 4 June 2026

What is CVE-2026-42547?

IRIS is a web collaborative platform that helps incident responders share technical details during investigations. In versions prior to 2.4.28, users can create alerts for customers that are not assigned to them. This can be abused to falsely attribute fake alerts to customers. In combination with Cross-Site Scripting, this can also be used to exfiltrate alerts from other customers. Version 2.4.28 contains a patch.

Affected Version(s)

iris-web < 2.4.28

References

https://github.com/dfir-iris/iris-web/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 4, 2026
Vulnerability Reserved
Apr 28, 2026

CVE-2026-42547 Data

JSON

Dfir-iris

What is CVE-2026-42547?

Affected Version(s)

References

CVSS V3.1

Timeline