Skip to main content

DivvyDrive CVE-2026-6795

| EUVDEUVD-2026-28375 CRITICAL
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-05-07 TR-CERT GHSA-g28p-hp32-cg73
9.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 07, 2026 - 15:02 EUVD
Analysis Generated
May 07, 2026 - 14:30 vuln.today
CVE Published
May 07, 2026 - 12:58 nvd
CRITICAL 9.6

DescriptionCVE.org

URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection.

This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

AnalysisAI

Open redirect vulnerability in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to redirect users to malicious sites via parameter injection, achieving high-severity impact across confidentiality, integrity, and availability with scope change. The CVSS 9.6 (Critical) score reflects cross-site scope change and combined impacts, though typical open redirect attacks involve phishing rather than direct system compromise. TR-CERT published this vulnerability with vendor coordination through Turkish national CERT.

Technical ContextAI

This is a CWE-601 URL Redirection to Untrusted Site vulnerability in DivvyDrive, a file sharing and collaboration platform by DivvyDrive Information Technologies Inc. The flaw involves parameter injection, where attacker-controlled input is used to construct redirect URLs without proper validation or sanitization. The affected software versions (CPE 2.3 identifier: divvydrive_information_technologies_inc.:divvydrive) span from 4.8.2.9 through 4.8.3.1. Open redirect vulnerabilities typically arise when web applications accept user-supplied URLs in parameters (e.g., ?redirect=, ?next=, ?url=) and perform HTTP redirects without validating that the destination belongs to trusted domains. The parameter injection aspect suggests attackers can manipulate URL construction logic to bypass weak validation attempts, potentially through encoding tricks, protocol handlers, or path traversal sequences.

RemediationAI

Upgrade DivvyDrive to version 4.8.3.2 or later, which addresses the parameter injection vulnerability according to the CVE version range data. Consult TR-CERT advisory TR-26-0182 at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 for additional vendor guidance. If immediate patching is not feasible, implement compensating controls: deploy web application firewall (WAF) rules to block suspicious redirect parameter values containing external domains, full URLs with protocols, or encoding attempts (side effect: may break legitimate third-party integrations using redirect parameters). Configure Content Security Policy (CSP) headers to restrict navigation targets, though this provides limited protection against social engineering aspects. Educate users to verify destination URLs before clicking links in emails or messages claiming to originate from DivvyDrive, and implement email security gateways to scan for DivvyDrive domain abuse in phishing campaigns (trade-off: increases operational overhead and user friction). Review application logs for suspicious redirect parameter usage patterns to identify potential exploitation attempts before patch deployment.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-6795 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy