Description
Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery.

This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Published: 2026-05-07
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DivvyDrive Information Technologies Inc. disclosed a Cross‑Site Request Forgery (CSRF) vulnerability that allows malicious actors to convince authenticated users to submit unintended requests, potentially altering data or initiating actions without the user’s consent. This flaw corresponds to CWE‑352 and can lead to accidental or malicious changes in system state, compromising data integrity and trust.

Affected Systems

The vulnerability affects DivvyDrive versions starting at 4.8.2.9 up to, but not including, 4.8.3.2. Systems running any 4.8.2.x or earlier 4.8.3.x build are exposed.

Risk and Exploitability

The CVSS score of 9.6 reflects a high‐level risk. Although EPSS data is not available, the absence of a KEV listing does not diminish the immediate need for remediation. Attackers can exploit the flaw by embedding crafted requests in emails, external sites, or social media posts; the victim must be authenticated in the target system. Successful exploitation results in the attacker performing privileged actions on behalf of the user without further interaction.

Generated by OpenCVE AI on May 7, 2026 at 14:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DivvyDrive to version 4.8.3.2 or later, which includes CSRF protection fixes
  • Apply server‑side CSRF tokens to all state‑changing form submissions and API endpoints
  • Configure the session cookie with the SameSite attribute and ensure it requires HTTPS to mitigate cross‑origin request attempts

Generated by OpenCVE AI on May 7, 2026 at 14:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Divvydrive
Divvydrive divvydrive
Vendors & Products Divvydrive
Divvydrive divvydrive

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Cross-Site request forgery (CSRF) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross Site Request Forgery. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Title CSRF in DivvyDrive Information Technologies' DivvyDrive
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Divvydrive Divvydrive
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-07T13:13:17.017Z

Reserved: 2026-04-08T12:53:49.676Z

Link: CVE-2026-5791

cve-icon Vulnrichment

Updated: 2026-05-07T13:13:14.082Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T13:16:13.647

Modified: 2026-05-07T14:42:24.170

Link: CVE-2026-5791

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:50Z

Weaknesses