VYPR
← All advisories
Medium severity6.3NVD Advisory· Published Jun 4, 2026· Updated Jun 4, 2026

CVE-2026-42538

CVE-2026-42538

Description

IRIS web platform versions prior to 2.4.28 are vulnerable to insecure file uploads, enabling phishing and XSS attacks.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

IRIS web platform versions prior to 2.4.28 are vulnerable to insecure file uploads, enabling phishing and XSS attacks.

Vulnerability

The IRIS web collaborative platform, specifically versions prior to 2.4.28, fails to properly validate uploaded files. This vulnerability allows attackers to upload arbitrary files, which can then be hosted by the application. This issue affects the IRIS web application [1].

Exploitation

An attacker can upload an HTML file to the IRIS datastore without server-side error. The application then serves this file, allowing the attacker to control the content presented to a victim. This can be achieved by sending a user a link to the compromised IRIS deployment, which hosts malicious content [1].

Impact

Successful exploitation allows an attacker to host arbitrary content, facilitating phishing attacks or credential theft by presenting a trustworthy-looking link to a compromised IRIS instance. Additionally, if the uploaded file contains JavaScript, it results in a stored Cross-Site Scripting (XSS) vulnerability, executing arbitrary JavaScript code in the victim's browser [1].

Mitigation

Version 2.4.28 of the IRIS web application contains a patch for this vulnerability. Users are advised to update to version 2.4.28 or later. No workarounds are specified in the available references [1].

References
  1. Insecure File Upload

AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Dfir Iris/Iris Webinferred2 versions
    <2.4.28+ 1 more
    • (no CPE)range: <2.4.28
    • (no CPE)range: <2.4.28

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The web application does not properly validate uploaded files, allowing arbitrary content to be hosted."

Attack vector

An attacker with low privileges can upload an HTML file to the application's datastore without server-side validation [ref_id=1]. This file can contain arbitrary content, including JavaScript code. When a victim accesses the link to this uploaded file, the injected JavaScript is executed in their browser, facilitating phishing attacks or credential theft [ref_id=1]. This vulnerability is identified as a Cross-Site Scripting (XSS) vulnerability [ref_id=1].

Affected code

The vulnerability lies in the file upload functionality of the IRIS web application, specifically within the datastore component that handles file additions. The advisory indicates that the file type is not fully validated before being stored and served by the server [ref_id=1].

What the fix does

Version 2.4.28 contains a patch that addresses the insecure file upload vulnerability. The patch is expected to implement proper validation for uploaded files, preventing the hosting of malicious content such as HTML files with injected scripts. This measure ensures that only permitted file types are uploaded and served, mitigating the risk of phishing and XSS attacks.

Preconditions

  • authAttacker must have low privileges to upload files.

Reproduction

It was possible to upload a HTML file, without the server returning an error. We can upload a file to the Datastore with the following request: POST /datastore/file/add/4?cid=1 HTTP/1.1 Host: myiris.local Cookie: session=.eJw[...]User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=----geckoformboundary5b6828525f841715b4fe739ae077f30d Content-Length: 973 Origin: https://myiris.local Referer: https://myiris.local/case?cid=1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers Connection: keep-alive ------geckoformboundary5b6828525f841715b4fe739ae077f30d Content-Disposition: form-data; name="csrf_token"

ImRmMTMzZTczYzAwZDRjMDk5ZjhiZWQ3MDViYTk0YmE4MDdiZDZjOTAi.aWjo_A.3PgouonWzZGwaYLNdXz9zavOsyw [ref_id=1]

Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.