Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
5Description PRE-NVD
AnalysisAI
Insecure file upload in DFIR-IRIS before version 2.4.28 allows a low-privileged remote attacker to upload files of dangerous types, resulting in high confidentiality impact and limited integrity compromise when a victim user interacts with the uploaded content. Disclosed by SBA Research in advisory SBA-ADV-20260126-03, this is one of three CVEs (CVE-2026-42329, CVE-2026-42538, CVE-2026-42539) patched simultaneously in the 2.4.28 release. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
DFIR-IRIS is a collaborative open-source web platform used by digital forensics and incident response teams to manage cases, share artifacts, and coordinate investigations. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application does not adequately validate or restrict file types submitted via its upload functionality. This class of vulnerability commonly arises when server-side MIME-type or extension validation is absent or bypassable, allowing attackers to stage malicious file payloads within the application. The CVSS vector (AV:N/AC:L/PR:L/UI:R) indicates the upload endpoint is network-accessible, requires only low-privilege credentials, operates at low complexity, but requires a secondary user to interact with the uploaded artifact to realize the full confidentiality impact. The scope is unchanged (S:U), suggesting the compromise is contained to the application's trust boundary rather than breaking out to the underlying host.
RemediationAI
The primary fix is to upgrade DFIR-IRIS to version 2.4.28 or later, which addresses this insecure file upload alongside CVE-2026-42329 (Open Redirect) and CVE-2026-42539 (Excessive Data Exposure). The vendor advisory is available at https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m624-7744-2mhf. If immediate patching is not feasible, compensating controls should include restricting access to file upload endpoints to trusted, named analyst accounts only - minimizing the pool of PR:L accounts that could stage a malicious upload. Additionally, disabling or auditing file preview and download features that trigger user interaction with uploaded artifacts reduces the UI:R exploitation path. Network-level controls such as restricting DFIR-IRIS access to VPN or internal networks reduce exposure of the AV:N attack vector. Note that these controls reduce risk but do not eliminate the underlying CWE-434 flaw; patching remains the authoritative remediation.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34326