Description
Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery.

This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Published: 2026-05-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DivvyDrive Information Technologies Inc. disclosed a Cross‑Site Request Forgery (CSRF) vulnerability that allows malicious actors to convince authenticated users to submit unintended requests, potentially altering data or initiating actions without the user’s consent. This flaw corresponds to CWE‑352 and can lead to accidental or malicious changes in system state, compromising data integrity and trust.

Affected Systems

The vulnerability affects DivvyDrive Information Technologies Inc.’s DivvyDrive versions starting at 4.8.2.9 and lasting until before 4.8.3.2. Systems running any 4.8.2.x or earlier 4.8.3.x builds are exposed.

Risk and Exploitability

The CVSS score of 6.5 reflects a moderate risk. The EPSS score of <1% indicates a very low likelihood of exploitation, yet the lack of a KEV listing does not reduce the urgency of remediation. Attackers can likely exploit the flaw by embedding crafted requests in emails or external websites, which will be sent by a victim’s authenticated browser. This represents an inferred CSRF attack vector that forces the victim’s browser to send state‑changing requests without consent. Successful exploitation enables attackers to perform privileged operations on behalf of the user.

Generated by OpenCVE AI on May 10, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DivvyDrive to version 4.8.3.2 or later, which includes CSRF protection fixes
  • Apply server‑side CSRF tokens to all state‑changing form submissions and API endpoints
  • Configure the session cookie with the SameSite attribute and ensure it requires HTTPS to mitigate cross‑origin request attempts

Generated by OpenCVE AI on May 10, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Divvydrive
Divvydrive divvydrive
Vendors & Products Divvydrive
Divvydrive divvydrive

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Title CSRF in DivvyDrive Information Technologies' DivvyDrive
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Divvydrive Divvydrive
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-10T15:48:12.028Z

Reserved: 2026-04-08T12:53:49.676Z

Link: CVE-2026-5791

cve-icon Vulnrichment

Updated: 2026-05-07T13:13:14.082Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T13:16:13.647

Modified: 2026-05-10T16:16:07.333

Link: CVE-2026-5791

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T18:30:17Z

Weaknesses