Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS.
This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
AnalysisAI
Stored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts that execute in victim browsers with high integrity impact (CVSS 8.8). The vulnerability requires user interaction but no authentication, allowing attackers to compromise confidentiality, integrity, and availability of user sessions. Reported by TR-CERT with vendor patch released in version 4.8.3.2. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.
Technical ContextAI
This is a stored (persistent) cross-site scripting vulnerability (CWE-79) in DivvyDrive, a file management and collaboration platform by DivvyDrive Information Technologies Inc. The affected CPE (cpe:2.3:a:divvydrive_information_technologies_inc.:divvydrive) indicates the vulnerability exists in the application's web interface where user-supplied input is not properly sanitized before being stored and later rendered in web pages. Stored XSS is more severe than reflected XSS because the malicious payload persists in the application's data store (database, file system, etc.) and executes whenever users access the affected page. The improper neutralization of input allows attackers to inject arbitrary HTML and JavaScript that the application later serves to other users. With CVSS:3.1 showing Scope:Unchanged, the vulnerability operates within the same security authority-the user's browser session within the DivvyDrive application context. The high confidentiality, integrity, and availability impacts suggest attackers can steal session tokens, modify displayed content, and disrupt application functionality.
RemediationAI
Upgrade DivvyDrive to version 4.8.3.2 or later, which addresses the input neutralization flaw. The vendor-released patch should be obtained from DivvyDrive Information Technologies Inc. official channels. Organizations should prioritize instances exposed to untrusted users or internet-facing deployments. Review TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 for vendor-specific guidance. If immediate patching is not feasible, implement compensating controls: enable Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution (may break legitimate application functionality requiring testing), deploy Web Application Firewall (WAF) rules to filter common XSS payloads in input fields (bypassable by sophisticated attackers, provides detection layer only), restrict DivvyDrive access to trusted networks via firewall rules or VPN (reduces attack surface but does not prevent insider threats or compromised accounts). Post-patch, audit stored content for malicious scripts injected prior to remediation, review application logs for suspicious input patterns or failed XSS attempts, and reset user sessions to invalidate potentially compromised tokens.
More in Divvydrive
View allCross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbi
Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by
Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions
Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege
Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inj
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28358
GHSA-wj3v-9w9x-ccw9