Skip to main content

DivvyDrive EUVDEUVD-2026-41008

| CVE-2026-5220 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-01 TR-CERT GHSA-rr2x-7r28-45fw
6.4
CVSS 3.1 · Vendor: TR-CERT
Share

Severity by source

Vendor (TR-CERT) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS requires victim to view the injected page (UI:R); PR:L reflects required low-privilege account; S:C and C:L/I:L capture cross-boundary session impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (TR-CERT).

CVSS VectorVendor: TR-CERT

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 01, 2026 - 14:56 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS.

This issue affects DivvyDrive: from 4.8.2.23 before v.4.8.3.1.

AnalysisAI

Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users who view affected pages. The CVSS scope change (S:C) reflects that injected scripts operate outside the application's security boundary, enabling session hijacking or credential theft against higher-privileged victims such as administrators. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate with low-privilege DivvyDrive account
Delivery
Identify stored input field lacking output encoding
Exploit
Submit crafted XSS payload to persist in database
Execution
Target user (e.g., administrator) views page with injected content
Persist
Malicious script executes in victim's browser
Impact
Exfiltrate session token or perform actions as victim

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid DivvyDrive account with at least low-privilege access (PR:L per CVSS) sufficient to submit input to a stored field within the application. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 6.4 (Medium) uses vector AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated low-privilege DivvyDrive user submits a crafted payload - for example, a script tag embedded in a shared document title, comment field, or profile field - that the application stores without sanitization. When an administrator or other user subsequently views the page containing the stored content, the script silently executes in their browser, exfiltrating their session cookie to an attacker-controlled endpoint and enabling account takeover. …
Remediation Upgrade DivvyDrive to version 4.8.3.1 or later, which resolves this stored XSS vulnerability per the TR-CERT advisory at https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0475. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41008 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy