Description
URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection.

This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Published: 2026-05-07
Score: 9.6 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

DivvyDrive Information Technologies' product is vulnerable to a URL redirection flaw that allows arbitrary parameters to be injected and redirected to an untrusted site. This flaw provides an unauthenticated attacker with the ability to trick end‑users into visiting malicious domains, leading to phishing, credential theft, or defacement. The weakness is cataloged as CWE‑601, which describes improper neutralization of potential redirect content.

Affected Systems

Systems running DivvyDrive versions from 4.8.2.9 up to before 4.8.3.2 are affected. The vulnerability applies to all deployments of DivvyDrive by DivvyDrive Information Technologies Inc. where the redirect parameter is enabled. No further patch version information is available in the CNA data, but the impact applies to all those older releases.

Risk and Exploitability

The CVSS score of 9.6 indicates a high‑severity risk, and because the exploit does not require authentication, the likelihood of execution is high. The EPSS score is not reported, and the vulnerability is not listed in CISA KEV, however the absence of a KEV listing does not reduce the legitimate threat. Attackers could trigger the redirect by crafting a URL to any publicly accessible endpoint, leveraging the deep injection of the redirect parameter. Once executed, the end‑user would be directed to a malicious domain controlled by the attacker, potentially compromising session state or phishing credentials. Prompt remediation is strongly advisable.

Generated by OpenCVE AI on May 7, 2026 at 14:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest DivvyDrive update (4.8.3.2 or newer).
  • If upgrade is not immediately possible, configure the application to reject or sanitize externally supplied redirect URLs.
  • Continuously monitor user activity logs for unexpected redirection patterns and report incidents promptly.

Generated by OpenCVE AI on May 7, 2026 at 14:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Divvydrive
Divvydrive divvydrive
Vendors & Products Divvydrive
Divvydrive divvydrive

Thu, 07 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 07 May 2026 13:45:00 +0000

Type Values Removed Values Added
Description URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.
Title Open Redirect in DivvyDrive Information Technologies' DivvyDrive
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 9.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Divvydrive Divvydrive
cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-07T14:37:11.375Z

Reserved: 2026-04-21T14:34:31.238Z

Link: CVE-2026-6795

cve-icon Vulnrichment

Updated: 2026-05-07T14:37:07.411Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T14:16:04.280

Modified: 2026-05-07T14:42:40.917

Link: CVE-2026-6795

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:24:46Z

Weaknesses