Skip to main content

DFIR-IRIS CVE-2026-42538

| EUVDEUVD-2026-34326 MEDIUM
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-05-27
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

5
Patch available
Jun 04, 2026 - 22:01 EUVD
Analysis Generated
Jun 04, 2026 - 21:22 vuln.today
CVSS changed
Jun 04, 2026 - 21:22 NVD
6.3 (MEDIUM)
CVE Published
May 27, 2026 - 20:45 nvd
MEDIUM 6.3
CVE Published
May 27, 2026 - 20:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Insecure file upload in DFIR-IRIS before version 2.4.28 allows a low-privileged remote attacker to upload files of dangerous types, resulting in high confidentiality impact and limited integrity compromise when a victim user interacts with the uploaded content. Disclosed by SBA Research in advisory SBA-ADV-20260126-03, this is one of three CVEs (CVE-2026-42329, CVE-2026-42538, CVE-2026-42539) patched simultaneously in the 2.4.28 release. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

DFIR-IRIS is a collaborative open-source web platform used by digital forensics and incident response teams to manage cases, share artifacts, and coordinate investigations. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application does not adequately validate or restrict file types submitted via its upload functionality. This class of vulnerability commonly arises when server-side MIME-type or extension validation is absent or bypassable, allowing attackers to stage malicious file payloads within the application. The CVSS vector (AV:N/AC:L/PR:L/UI:R) indicates the upload endpoint is network-accessible, requires only low-privilege credentials, operates at low complexity, but requires a secondary user to interact with the uploaded artifact to realize the full confidentiality impact. The scope is unchanged (S:U), suggesting the compromise is contained to the application's trust boundary rather than breaking out to the underlying host.

RemediationAI

The primary fix is to upgrade DFIR-IRIS to version 2.4.28 or later, which addresses this insecure file upload alongside CVE-2026-42329 (Open Redirect) and CVE-2026-42539 (Excessive Data Exposure). The vendor advisory is available at https://github.com/dfir-iris/iris-web/security/advisories/GHSA-m624-7744-2mhf. If immediate patching is not feasible, compensating controls should include restricting access to file upload endpoints to trusted, named analyst accounts only - minimizing the pool of PR:L accounts that could stage a malicious upload. Additionally, disabling or auditing file preview and download features that trigger user interaction with uploaded artifacts reduces the UI:R exploitation path. Network-level controls such as restricting DFIR-IRIS access to VPN or internal networks reduce exposure of the AV:N attack vector. Note that these controls reduce risk but do not eliminate the underlying CWE-434 flaw; patching remains the authoritative remediation.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-42538 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy