CVE-2026-22783

Name of the Vulnerable Software and Affected Versions Iris versions prior to 2.4.24

Description Iris is a web collaborative platform used by incident responders to share technical details during investigations. The DFIR-IRIS datastore file management system has an issue where authenticated users can delete arbitrary filesystem paths. This is due to mass assignment of the file local name field combined with a lack of path validation in the delete operation. The issue can be exploited through a three-step process: uploading a file, modifying the file local name field to point to a target filesystem path, and then triggering the delete operation.

Recommendations Update Iris to version 2.4.24 or later.