Skip to main content

DivvyDrive EUVDEUVD-2026-28358

| CVE-2026-5784 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 TR-CERT GHSA-wj3v-9w9x-ccw9
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
May 07, 2026 - 14:01 EUVD
Analysis Generated
May 07, 2026 - 13:30 vuln.today
CVE Published
May 07, 2026 - 12:54 nvd
HIGH 8.8

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS.

This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

AnalysisAI

Stored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts that execute in victim browsers with high integrity impact (CVSS 8.8). The vulnerability requires user interaction but no authentication, allowing attackers to compromise confidentiality, integrity, and availability of user sessions. Reported by TR-CERT with vendor patch released in version 4.8.3.2. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

Technical ContextAI

This is a stored (persistent) cross-site scripting vulnerability (CWE-79) in DivvyDrive, a file management and collaboration platform by DivvyDrive Information Technologies Inc. The affected CPE (cpe:2.3:a:divvydrive_information_technologies_inc.:divvydrive) indicates the vulnerability exists in the application's web interface where user-supplied input is not properly sanitized before being stored and later rendered in web pages. Stored XSS is more severe than reflected XSS because the malicious payload persists in the application's data store (database, file system, etc.) and executes whenever users access the affected page. The improper neutralization of input allows attackers to inject arbitrary HTML and JavaScript that the application later serves to other users. With CVSS:3.1 showing Scope:Unchanged, the vulnerability operates within the same security authority-the user's browser session within the DivvyDrive application context. The high confidentiality, integrity, and availability impacts suggest attackers can steal session tokens, modify displayed content, and disrupt application functionality.

RemediationAI

Upgrade DivvyDrive to version 4.8.3.2 or later, which addresses the input neutralization flaw. The vendor-released patch should be obtained from DivvyDrive Information Technologies Inc. official channels. Organizations should prioritize instances exposed to untrusted users or internet-facing deployments. Review TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0182 for vendor-specific guidance. If immediate patching is not feasible, implement compensating controls: enable Content Security Policy (CSP) headers with strict script-src directives to prevent inline script execution (may break legitimate application functionality requiring testing), deploy Web Application Firewall (WAF) rules to filter common XSS payloads in input fields (bypassable by sophisticated attackers, provides detection layer only), restrict DivvyDrive access to trusted networks via firewall rules or VPN (reduces attack surface but does not prevent insider threats or compromised accounts). Post-patch, audit stored content for malicious scripts injected prior to remediation, review application logs for suspicious input patterns or failed XSS attempts, and reset user sessions to invalidate potentially compromised tokens.

Share

EUVD-2026-28358 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy