Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection.
This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
AnalysisAI
Open redirect vulnerability in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to redirect users to malicious sites via parameter injection, achieving high-severity impact across confidentiality, integrity, and availability with scope change. The CVSS 9.6 (Critical) score reflects cross-site scope change and combined impacts, though typical open redirect attacks involve phishing rather than direct system compromise. TR-CERT published this vulnerability with vendor coordination through Turkish national CERT.
Technical ContextAI
This is a CWE-601 URL Redirection to Untrusted Site vulnerability in DivvyDrive, a file sharing and collaboration platform by DivvyDrive Information Technologies Inc. The flaw involves parameter injection, where attacker-controlled input is used to construct redirect URLs without proper validation or sanitization. The affected software versions (CPE 2.3 identifier: divvydrive_information_technologies_inc.:divvydrive) span from 4.8.2.9 through 4.8.3.1. Open redirect vulnerabilities typically arise when web applications accept user-supplied URLs in parameters (e.g., ?redirect=, ?next=, ?url=) and perform HTTP redirects without validating that the destination belongs to trusted domains. The parameter injection aspect suggests attackers can manipulate URL construction logic to bypass weak validation attempts, potentially through encoding tricks, protocol handlers, or path traversal sequences.
RemediationAI
Upgrade DivvyDrive to version 4.8.3.2 or later, which addresses the parameter injection vulnerability according to the CVE version range data. Consult TR-CERT advisory TR-26-0182 at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 for additional vendor guidance. If immediate patching is not feasible, implement compensating controls: deploy web application firewall (WAF) rules to block suspicious redirect parameter values containing external domains, full URLs with protocols, or encoding attempts (side effect: may break legitimate third-party integrations using redirect parameters). Configure Content Security Policy (CSP) headers to restrict navigation targets, though this provides limited protection against social engineering aspects. Educate users to verify destination URLs before clicking links in emails or messages claiming to originate from DivvyDrive, and implement email security gateways to scan for DivvyDrive domain abuse in phishing campaigns (trade-off: increases operational overhead and user friction). Review application logs for suspicious redirect parameter usage patterns to identify potential exploitation attempts before patch deployment.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28375
GHSA-g28p-hp32-cg73