Skip to main content

DivvyDrive CVE-2026-5791

| EUVDEUVD-2026-28359 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-07 TR-CERT GHSA-r92j-v37g-pjf9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

5
Severity Changed
May 10, 2026 - 16:22 NVD
CRITICAL MEDIUM
CVSS changed
May 10, 2026 - 16:22 NVD
9.6 (CRITICAL) 6.5 (MEDIUM)
Patch available
May 07, 2026 - 14:01 EUVD
Analysis Generated
May 07, 2026 - 13:30 vuln.today
CVE Published
May 07, 2026 - 12:40 nvd
CRITICAL 9.6

DescriptionCVE.org

Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery.

This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

AnalysisAI

Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions with high integrity and confidentiality impact when authenticated users interact with malicious content. The CVSS 9.6 (Critical) score reflects scope change and full CIA triad compromise, though EPSS data and KEV status are unavailable. No public exploit code identified at time of analysis, but CSRF vulnerabilities are well-understood and easily weaponized once identified.

Technical ContextAI

CSRF (CWE-352) is a web security vulnerability that forces authenticated users to execute unwanted actions on applications where they are currently authenticated. DivvyDrive, a file management and collaboration platform from DivvyDrive Information Technologies Inc., lacks adequate anti-CSRF tokens or same-origin validation mechanisms in affected versions 4.8.2.9 through 4.8.3.1. The CVSS vector indicates scope change (S:C), meaning the vulnerability affects resources beyond the vulnerable component's security scope, potentially allowing cross-tenant or cross-account operations. The attack requires user interaction (UI:R) but no authentication from the attacker's perspective (PR:N), as it leverages the victim's existing session credentials through forged requests embedded in external sites or emails.

RemediationAI

Upgrade DivvyDrive to version 4.8.3.2 or later, which addresses the CSRF vulnerability according to the version range specified in the advisory. Refer to TR-CERT advisory TR-26-0182 (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182) for vendor-specific guidance. If immediate patching is not feasible, implement compensating controls: configure web application firewalls to enforce strict referer validation for state-changing requests (blocks external origins but may break legitimate cross-domain integrations), require re-authentication for high-risk operations like file deletion or permission changes (adds friction to user workflows), and deploy browser security extensions that block cross-origin requests for authenticated sessions (requires client-side deployment). Educate users to avoid clicking links in untrusted emails while authenticated to DivvyDrive, though user training alone is insufficient defense. Monitor authentication logs for unusual sequences of actions that may indicate CSRF exploitation, particularly permission changes or bulk file operations.

Share

CVE-2026-5791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy