CVE-2026-22783

CVSS v3.1

9.6

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions Iris versions prior to 2.4.24

Description Iris is a web collaborative platform used by incident responders to share technical details during investigations. The DFIR-IRIS datastore file management system has an issue where authenticated users can delete arbitrary filesystem paths. This is due to mass assignment of the file local name field combined with a lack of path validation in the delete operation. The issue can be exploited through a three-step process: uploading a file, modifying the file local name field to point to a target filesystem path, and then triggering the delete operation.

Recommendations Update Iris to version 2.4.24 or later.

Exploit

Fix

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-915CWE-73CWE-434

Related Identifiers

CVE-2026-22783

GHSA-QHQJ-8QW6-WP8V

Affected Products

Iris

CVE-2026-22783

Weakness Enumeration

Related Identifiers

Affected Products

References · 10