Description
Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS).

This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Published: 2026-05-07
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of script‑related tags that allows a basic XSS flaw. An attacker can inject JavaScript that runs in the context of the application, potentially defacing web pages, stealing session cookies, or performing actions on behalf of the user. This weakness can compromise the confidentiality, integrity, and availability of data accessed through the web interface.

Affected Systems

Affected installations of DivvyDrive are those running version 4.8.2.9 through any release prior to 4.8.3.2; any instance of DivvyDrive before the 4.8.3.2 update is vulnerable.

Risk and Exploitability

The CVSS score of 8.8 categorises this flaw as high severity. No EPSS score is reported and the vulnerability is not listed in CISA's KEV catalog, so the exact likelihood of exploitation is uncertain but the absence of known active exploits does not mitigate the risk. The likely attack vector is a web interface or API that accepts user input without proper sanitization; based on the description, it is inferred that authentication or elevated privileges are not required for exploitation. Once a vulnerable endpoint is accessed, arbitrary scripts can execute with the privileges of the victim user.

Generated by OpenCVE AI on May 7, 2026 at 15:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to DivvyDrive 4.8.3.2 or newer to remediate the flaw
  • Apply input sanitization or output encoding to strip script tags from user‑supplied content
  • Deploy a Content Security Policy that disallows inline JavaScript and restricts script sources

Generated by OpenCVE AI on May 7, 2026 at 15:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Divvydrive
Divvydrive divvydrive
Vendors & Products Divvydrive
Divvydrive divvydrive

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Title HTML Injection in DivvyDrive Information Technologies' DivvyDrive
Weaknesses CWE-80
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Divvydrive Divvydrive
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-07T13:13:49.654Z

Reserved: 2026-04-09T13:19:37.922Z

Link: CVE-2026-6002

cve-icon Vulnrichment

Updated: 2026-05-07T13:13:44.953Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T13:16:13.773

Modified: 2026-05-07T14:42:24.170

Link: CVE-2026-6002

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:49Z

Weaknesses