CVE-2026-22783
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2026-22783
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-22783.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-22783
- Aliases
-
- GHSA-qhqj-8qw6-wp8v
- Published
- 2026-01-12T18:27:38.259Z
- Modified
- 2026-01-12T19:56:21.438317Z
- Severity
-
- 9.6 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:H CVSS Calculator
- Summary
- Iris Allows Arbitrary File Deletion via Mass Assignment in Datastore File Management
- Details
-
Iris is a web collaborative platform that helps incident responders share technical details during investigations. Prior to 2.4.24, the DFIR-IRIS datastore file management system has a vulnerability where mass assignment of the filelocalname field combined with path trust in the delete operation enables authenticated users to delete arbitrary filesystem paths. The vulnerability manifests through a three-step attack chain: authenticated users upload a file to the datastore, update the file's filelocalname field to point to an arbitrary filesystem path through mass assignment, then trigger the delete operation which removes the target file without path validation. This vulnerability is fixed in 2.4.24.
- Database specific
{ "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/22xxx/CVE-2026-22783.json", "cwe_ids": [ "CWE-434", "CWE-73", "CWE-915" ] }- References
Affected packages
Git / github.com/dfir-iris/iris-web
Affected versions
v1.*
v1.2.1
v1.3.1
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v2.*
v2.0.0
v2.0.0-beta-1
v2.0.0-beta-2
v2.0.0-beta-3
v2.0.1
v2.0.2
v2.1.0
v2.1.0-beta-1
v2.1.0-beta-2
v2.2.0
v2.2.1
v2.2.2
v2.2.3
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.3.4
v2.3.5
v2.3.6
v2.3.7
v2.4.0
v2.4.1
v2.4.10
v2.4.11
v2.4.12
v2.4.13
v2.4.14
v2.4.15
v2.4.15-beta
v2.4.15-rc1
v2.4.15-rc2
v2.4.16
v2.4.17
v2.4.18
v2.4.19
v2.4.2
v2.4.20
v2.4.21
v2.4.22
v2.4.23
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9