Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery.
This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
AnalysisAI
Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions with high integrity and confidentiality impact when authenticated users interact with malicious content. The CVSS 9.6 (Critical) score reflects scope change and full CIA triad compromise, though EPSS data and KEV status are unavailable. No public exploit code identified at time of analysis, but CSRF vulnerabilities are well-understood and easily weaponized once identified.
Technical ContextAI
CSRF (CWE-352) is a web security vulnerability that forces authenticated users to execute unwanted actions on applications where they are currently authenticated. DivvyDrive, a file management and collaboration platform from DivvyDrive Information Technologies Inc., lacks adequate anti-CSRF tokens or same-origin validation mechanisms in affected versions 4.8.2.9 through 4.8.3.1. The CVSS vector indicates scope change (S:C), meaning the vulnerability affects resources beyond the vulnerable component's security scope, potentially allowing cross-tenant or cross-account operations. The attack requires user interaction (UI:R) but no authentication from the attacker's perspective (PR:N), as it leverages the victim's existing session credentials through forged requests embedded in external sites or emails.
RemediationAI
Upgrade DivvyDrive to version 4.8.3.2 or later, which addresses the CSRF vulnerability according to the version range specified in the advisory. Refer to TR-CERT advisory TR-26-0182 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182) for vendor-specific guidance. If immediate patching is not feasible, implement compensating controls: configure web application firewalls to enforce strict referer validation for state-changing requests (blocks external origins but may break legitimate cross-domain integrations), require re-authentication for high-risk operations like file deletion or permission changes (adds friction to user workflows), and deploy browser security extensions that block cross-origin requests for authenticated sessions (requires client-side deployment). Educate users to avoid clicking links in untrusted emails while authenticated to DivvyDrive, though user training alone is insufficient defense. Monitor authentication logs for unusual sequences of actions that may indicate CSRF exploitation, particularly permission changes or bulk file operations.
More in Divvydrive
View allStored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts t
Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbi
Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by
Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege
Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inj
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28359
GHSA-r92j-v37g-pjf9