Skip to main content

DivvyDrive CVE-2026-6283

| EUVDEUVD-2026-41010 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 TR-CERT GHSA-4qcc-v76c-xv54
5.4
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires an authenticated low-privilege account (PR:L), victim page load (UI:R), and browser context escape confirms scope change (S:C); no availability impact applies.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:55 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS.

This issue affects DivvyDrive: from v.4.8.2.23 before v.4.8.3.1.

AnalysisAI

Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inject persistent malicious scripts into application content that execute in the browsers of other users who subsequently view the affected page. The CVSS scope change indicator (S:C) reflects that the injected payload breaks out of the application's security boundary into the victim's browser context, enabling session hijacking or unauthorized actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker authenticates with low-privilege DivvyDrive account
Delivery
Submits crafted script payload into persistent content field
Exploit
Payload stored server-side in DivvyDrive
Execution
Victim user navigates to affected page
Persist
Victim browser executes injected script in application context
Impact
Attacker exfiltrates session token or performs actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid authenticated account with at least low-privilege access to the DivvyDrive application (PR:L per CVSS vector) running an affected version from v.4.8.2.23 to before v.4.8.3.1. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.4 Medium score is driven by network accessibility (AV:N), low complexity (AC:L), low privilege requirement (PR:L), required victim interaction (UI:R), scope change (S:C), and limited confidentiality and integrity impact (C:L/I:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid low-privilege DivvyDrive account submits a payload such as a script tag or JavaScript event handler into a shared input field - for example, a file comment, document name, or profile field - that is stored and later rendered for other users. When an administrator or co-worker loads the affected page, the injected script silently executes in their browser, potentially exfiltrating their session cookie to an attacker-controlled server. …
Remediation Upgrade DivvyDrive to version v.4.8.3.1 or later, which resolves this stored XSS vulnerability per the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0475. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-6283 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy