Skip to main content

DivvyDrive CVE-2026-6002

| EUVDEUVD-2026-28360 HIGH
Basic XSS (CWE-80)
2026-05-07 TR-CERT GHSA-pmh8-hhp9-qxxf
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 07, 2026 - 14:01 EUVD
Analysis Generated
May 07, 2026 - 13:30 vuln.today
CVE Published
May 07, 2026 - 12:50 nvd
HIGH 8.8

DescriptionCVE.org

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS).

This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

AnalysisAI

Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and malicious actions performed under victim's identity. The CVSS score of 8.8 (High) reflects the broad impact scope (confidentiality, integrity, availability all rated High), though user interaction is required. TR-CERT disclosure indicates awareness within Turkish government cybersecurity circles, but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited active exploitation outside potential targeted campaigns.

Technical ContextAI

This is a classic stored or reflected XSS vulnerability (CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page) in DivvyDrive, a file sharing and collaboration platform by DivvyDrive Information Technologies Inc. The vulnerability stems from inadequate input sanitization or output encoding of user-controlled data before rendering it in HTML contexts. Attackers can inject malicious <script> tags or event handlers that execute JavaScript when other users view the affected page. The CPE string identifies the affected software as DivvyDrive from vendor DivvyDrive Information Technologies Inc., with version specificity indicating versions 4.8.2.9 through 4.8.3.1 are vulnerable. The CVSS vector (AV:N/AC:L) indicates network-based exploitation with low complexity, requiring no special deployment conditions beyond standard web access.

RemediationAI

Upgrade DivvyDrive to version 4.8.3.2 or later, which addresses the XSS vulnerability according to the version range specified in NVD data. Refer to TR-CERT advisory (https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182) for vendor-specific upgrade instructions and release notes. If immediate patching is not feasible, implement compensating controls: deploy Web Application Firewall (WAF) rules to detect and block common XSS payloads in HTTP requests and responses targeting DivvyDrive endpoints (note: this may produce false positives with legitimate file names containing special characters, requiring tuning); enable Content Security Policy (CSP) headers to restrict inline script execution, though this requires testing to ensure compatibility with DivvyDrive's legitimate JavaScript functionality; and restrict DivvyDrive access to authenticated internal users only via network segmentation or VPN, reducing exposure to untrusted attackers (this does not eliminate risk from malicious insiders or compromised accounts). User awareness training to avoid clicking suspicious links in DivvyDrive contexts provides defense-in-depth but should not be relied upon as primary mitigation.

Share

CVE-2026-6002 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy