{"api_version":"1","generated_at":"2026-06-05T14:43:04+00:00","cve":"CVE-2026-42539","urls":{"html":"https://cve.report/CVE-2026-42539","api":"https://cve.report/api/cve/CVE-2026-42539.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-42539","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-42539"},"summary":{"title":"IRIS has an Excessive Data Exposure issue","description":"IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-06-04 22:16:53","updated_at":"2026-06-04 22:16:53"},"problem_types":["CWE-201","CWE-201 CWE-201: Insertion of Sensitive Information Into Sent Data"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"6.5","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/05/19/9","name":"http://www.openwall.com/lists/oss-security/2026/05/19/9","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/dfir-iris/iris-web/security/advisories/GHSA-g588-5gmf-p5cx","name":"https://github.com/dfir-iris/iris-web/security/advisories/GHSA-g588-5gmf-p5cx","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-42539","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42539","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"dfir-iris","product":"iris-web","version":"affected < 2.4.28","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2026-06-04T21:36:15.404Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"url":"http://www.openwall.com/lists/oss-security/2026/05/19/9"}],"title":"CVE Program Container"}],"cna":{"affected":[{"product":"iris-web","vendor":"dfir-iris","versions":[{"status":"affected","version":"< 2.4.28"}]}],"descriptions":[{"lang":"en","value":"IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-201","description":"CWE-201: Insertion of Sensitive Information Into Sent Data","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-06-04T20:54:51.107Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/dfir-iris/iris-web/security/advisories/GHSA-g588-5gmf-p5cx","tags":["x_refsource_CONFIRM"],"url":"https://github.com/dfir-iris/iris-web/security/advisories/GHSA-g588-5gmf-p5cx"}],"source":{"advisory":"GHSA-g588-5gmf-p5cx","discovery":"UNKNOWN"},"title":"IRIS has an Excessive Data Exposure issue"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-42539","datePublished":"2026-06-04T20:54:51.107Z","dateReserved":"2026-04-28T16:56:50.190Z","dateUpdated":"2026-06-04T21:36:15.404Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-06-04 22:16:53","lastModifiedDate":"2026-06-04 22:16:53","problem_types":["CWE-201","CWE-201 CWE-201: Insertion of Sensitive Information Into Sent Data"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":3.6}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"42539","Ordinal":"1","Title":"IRIS has an Excessive Data Exposure issue","CVE":"CVE-2026-42539","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"42539","Ordinal":"1","NoteData":"IRIS is a web collaborative platform that helps incident responders share technical details during investigations. Versions prior to 2.4.28 return sensitive data to the user which are not required for the client’s operation. Version 2.4.28 contains a patch.","Type":"Description","Title":"IRIS has an Excessive Data Exposure issue"}]}}}