Skip to main content

Divvydrive

6 CVEs product

Monthly

CVE-2026-6283 MEDIUM This Month

Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inject persistent malicious scripts into application content that execute in the browsers of other users who subsequently view the affected page. The CVSS scope change indicator (S:C) reflects that the injected payload breaks out of the application's security boundary into the victim's browser context, enabling session hijacking or unauthorized actions. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was disclosed by TR-CERT with a corresponding patch available.

XSS Divvydrive
NVD VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-5220 MEDIUM This Month

Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users who view affected pages. The CVSS scope change (S:C) reflects that injected scripts operate outside the application's security boundary, enabling session hijacking or credential theft against higher-privileged victims such as administrators. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and cross-scope impact make this a meaningful lateral escalation risk within DivvyDrive deployments.

XSS Divvydrive
NVD VulDB
CVSS 3.1
6.4
EPSS
0.1%
CVE-2025-14341 HIGH PATCH This Week

Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by exploiting uncontrolled object attribute modification combined with absent resource throttling. The vulnerability permits low confidentiality impact but high integrity and availability compromise when a user interacts with attacker-controlled content. TR-CERT has issued an advisory, though no CISA KEV listing or public exploit code has been identified at time of analysis. EPSS data not available to assess exploitation probability.

Information Disclosure Divvydrive
NVD
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-5784 HIGH PATCH This Week

Stored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts that execute in victim browsers with high integrity impact (CVSS 8.8). The vulnerability requires user interaction but no authentication, allowing attackers to compromise confidentiality, integrity, and availability of user sessions. Reported by TR-CERT with vendor patch released in version 4.8.3.2. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

XSS Divvydrive
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-6002 HIGH PATCH This Week

Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and malicious actions performed under victim's identity. The CVSS score of 8.8 (High) reflects the broad impact scope (confidentiality, integrity, availability all rated High), though user interaction is required. TR-CERT disclosure indicates awareness within Turkish government cybersecurity circles, but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited active exploitation outside potential targeted campaigns.

XSS Divvydrive
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-5791 MEDIUM PATCH This Month

Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions with high integrity and confidentiality impact when authenticated users interact with malicious content. The CVSS 9.6 (Critical) score reflects scope change and full CIA triad compromise, though EPSS data and KEV status are unavailable. No public exploit code identified at time of analysis, but CSRF vulnerabilities are well-understood and easily weaponized once identified.

CSRF Divvydrive
NVD
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in DivvyDrive versions v.4.8.2.23 through before v.4.8.3.1 enables an authenticated low-privilege user to inject persistent malicious scripts into application content that execute in the browsers of other users who subsequently view the affected page. The CVSS scope change indicator (S:C) reflects that the injected payload breaks out of the application's security boundary into the victim's browser context, enabling session hijacking or unauthorized actions. No public exploit code or active exploitation (CISA KEV) has been identified at time of analysis; the vulnerability was disclosed by TR-CERT with a corresponding patch available.

XSS Divvydrive
NVD VulDB
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored cross-site scripting in DivvyDrive (versions 4.8.2.23 through before 4.8.3.1) allows authenticated low-privilege attackers to inject persistent malicious scripts that execute in the browsers of other users who view affected pages. The CVSS scope change (S:C) reflects that injected scripts operate outside the application's security boundary, enabling session hijacking or credential theft against higher-privileged victims such as administrators. No public exploit code or CISA KEV listing has been identified at time of analysis; however, the low attack complexity and cross-scope impact make this a meaningful lateral escalation risk within DivvyDrive deployments.

XSS Divvydrive
NVD VulDB
EPSS 0% CVSS 8.3
HIGH PATCH This Week

Remote attackers can cause excessive resource allocation and flooding attacks in DivvyDrive 4.8.2.19 through 4.8.3.1 by exploiting uncontrolled object attribute modification combined with absent resource throttling. The vulnerability permits low confidentiality impact but high integrity and availability compromise when a user interacts with attacker-controlled content. TR-CERT has issued an advisory, though no CISA KEV listing or public exploit code has been identified at time of analysis. EPSS data not available to assess exploitation probability.

Information Disclosure Divvydrive
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Stored cross-site scripting in DivvyDrive 4.8.2.9 through 4.8.3.1 enables remote attackers to inject malicious scripts that execute in victim browsers with high integrity impact (CVSS 8.8). The vulnerability requires user interaction but no authentication, allowing attackers to compromise confidentiality, integrity, and availability of user sessions. Reported by TR-CERT with vendor patch released in version 4.8.3.2. No confirmed active exploitation (not in CISA KEV) and no public exploit code identified at time of analysis.

XSS Divvydrive
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cross-site scripting (XSS) in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote unauthenticated attackers to execute arbitrary JavaScript in victim browsers, leading to session hijacking, credential theft, and malicious actions performed under victim's identity. The CVSS score of 8.8 (High) reflects the broad impact scope (confidentiality, integrity, availability all rated High), though user interaction is required. TR-CERT disclosure indicates awareness within Turkish government cybersecurity circles, but no CISA KEV listing or public exploit code identified at time of analysis, suggesting limited active exploitation outside potential targeted campaigns.

XSS Divvydrive
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-Site Request Forgery in DivvyDrive 4.8.2.9 through 4.8.3.1 allows remote attackers to execute unauthorized actions with high integrity and confidentiality impact when authenticated users interact with malicious content. The CVSS 9.6 (Critical) score reflects scope change and full CIA triad compromise, though EPSS data and KEV status are unavailable. No public exploit code identified at time of analysis, but CSRF vulnerabilities are well-understood and easily weaponized once identified.

CSRF Divvydrive
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy