Skip to main content

DFIR-IRIS CVE-2026-42539

| EUVDEUVD-2026-34327 MEDIUM
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-05-27
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jun 04, 2026 - 23:01 EUVD
Analysis Generated
Jun 04, 2026 - 22:23 vuln.today
CVSS changed
Jun 04, 2026 - 22:22 NVD
6.5 (MEDIUM)
CVE Published
May 27, 2026 - 20:45 nvd
UNKNOWN (no severity yet)

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Excessive data exposure in DFIR-IRIS before version 2.4.28 enables authenticated low-privileged users to retrieve sensitive information from API responses that should be restricted or filtered server-side. The flaw (CWE-201) is part of a coordinated multi-vulnerability disclosure by SBA Research (SBA-ADV-20260126-04), which also identified an Open Redirect (CVE-2026-42329), Insecure File Upload (CVE-2026-42538), and Mass Assignment (CVE-2026-42540) in the same product version. No public exploit identified at time of analysis and no CISA KEV listing; however, the target platform stores highly sensitive digital forensics and incident response case data, elevating the practical impact of any confidentiality breach.

Technical ContextAI

DFIR-IRIS (iris-web) is an open-source, web-based case management platform used by digital forensics and incident response teams, commonly housing sensitive artifacts such as malware samples, forensic evidence, case timelines, and victim data. CWE-201 (Insertion of Sensitive Information Into Sent Data) describes a class of vulnerability where application responses - typically API endpoints - return data beyond what is necessary for the requesting user's role or context, such as unexpurgated records, internal metadata, debug fields, or cross-tenant data. The CVSS vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates the flaw is remotely exploitable over a network with low attack complexity, requires only low-privilege authentication, and has no user interaction requirement, with a high confidentiality impact but no integrity or availability impact. The SBA Research audit uncovered multiple related weaknesses simultaneously, suggesting systematic input/output handling deficiencies across the codebase. CPE strings are not explicitly provided in the available data.

RemediationAI

Upgrade DFIR-IRIS to version 2.4.28 or later, which resolves this vulnerability along with the related issues disclosed in the same SBA Research advisory batch: CVE-2026-42329 (Open Redirect), CVE-2026-42538 (Insecure File Upload), CVE-2026-42540 (Mass Assignment), and CVE-2026-42543. The vendor security advisory is available at https://github.com/dfir-iris/iris-web/security/advisories/GHSA-g588-5gmf-p5cx and the oss-security disclosure is at https://www.openwall.com/lists/oss-security/2026/05/19. As a compensating control prior to patching, restrict network access to the DFIR-IRIS instance via firewall rules or VPN so only authorized IR personnel can authenticate - this limits the pool of potential authenticated exploiters. Additionally, enforce least-privilege access controls and audit existing low-privilege accounts to remove unnecessary access. Note that network restriction does not remediate the underlying data exposure flaw and should not substitute for patching.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-42539 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy