CVE-2026-22783

Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7	Patch
https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dfir-iris:iris:*:*:*:*:*:*:*:*

History

16 Jan 2026, 18:42

Type	Values Removed	Values Added
First Time		Dfir-iris iris Dfir-iris
CPE		cpe:2.3:a:dfir-iris:iris::::::::
References	~~() https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7 -~~	() https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7 - Patch
References	~~() https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v -~~	() https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v - Third Party Advisory

12 Jan 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-12 19:16

Updated : 2026-01-16 18:42

NVD link : CVE-2026-22783

Mitre link : CVE-2026-22783

CVE.ORG link : CVE-2026-22783

JSON object : View

Products Affected

dfir-iris

iris

CWE

CWE-73

External Control of File Name or Path

CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

{"id": "CVE-2026-22783", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.8, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-01-12T19:16:03.953", "references": [{"url": "https://github.com/dfir-iris/iris-web/commit/57c1b80494bac187893aebc6d9df1ce6e56485b7", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/dfir-iris/iris-web/security/advisories/GHSA-qhqj-8qw6-wp8v", "tags": ["Third Party Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-73"}, {"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-915"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the file_local_name field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's file_local_name field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24."}], "lastModified": "2026-01-16T18:42:18.303", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:dfir-iris:iris:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "310FB345-E2F3-475A-BC31-842B72778138", "versionEndExcluding": "2.4.24"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}