Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS.

This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Published: 2026-05-07
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DivvyDrive Information Technologies Inc. has identified a stored cross‑site scripting vulnerability. The flaw arises from improper neutralization when web pages are rendered, allowing a malicious actor to embed scripts that will execute in the browser context of any user who views the affected content.

Affected Systems

The issue impacts the DivvyDrive product line. Versions starting with 4.8.2.9 and running up to (but not including) 4.8.3.2 are vulnerable. Any deployment of those specific builds that accepts user input without proper sanitization is at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and while an EPSS score was not reported, the lack of exploitation data does not diminish the potential for abuse. The vulnerability is not yet listed in CISA KEV. Likely attackers can exploit it by injecting malicious code through any input channel that stores content, such as comments, messages, or data fields. If successful, the attacker’s script would run with the privileges of the victim’s browser session.

Generated by OpenCVE AI on May 7, 2026 at 14:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to DivvyDrive 4.8.3.2 or later, which contains the fix for the stored XSS issue.
  • If an immediate upgrade is not feasible, disable or restrict all input fields that allow storage of user‑provided content, or configure server‑side validation to reject scripts.
  • Deploy a web application firewall or content security policy that blocks or sanitizes script payloads in user input.

Generated by OpenCVE AI on May 7, 2026 at 14:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Divvydrive
Divvydrive divvydrive
Vendors & Products Divvydrive
Divvydrive divvydrive

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Stored XSS. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Title Stored XSS in DivvyDrive Information Technologies' DivvyDrive
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Divvydrive Divvydrive
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-07T13:14:36.155Z

Reserved: 2026-04-08T10:52:49.093Z

Link: CVE-2026-5784

cve-icon Vulnrichment

Updated: 2026-05-07T13:14:33.462Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T13:16:13.480

Modified: 2026-05-07T14:42:24.170

Link: CVE-2026-5784

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:47Z

Weaknesses