DivvyDrive Stored XSS Vulnerability (CVE-2026-5784) Poses High Risk

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
DivvyDrive Stored XSS Vulnerability (CVE-2026-5784) Poses High Risk

The National Vulnerability Database has disclosed a high-severity Stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-5784, affecting DivvyDrive Information Technologies Inc. DivvyDrive. This flaw, rated 8.8 CVSS (High), stems from improper neutralization of input during web page generation, allowing attackers to inject malicious scripts that execute in the context of other users.

Specifically, the vulnerability impacts DivvyDrive versions from 4.8.2.9 before 4.8.3.2. An unauthenticated attacker could exploit this by injecting malicious scripts into parameters that are stored and later rendered to other users. This allows for session hijacking, data theft, or defacement, all without direct user interaction beyond viewing a compromised page.

For defenders, this is a critical remote code execution vector. The attacker’s calculus here is straightforward: establish persistence, exfiltrate data, or pivot within the application. Given the ‘Network’ attack vector and ‘Low’ attack complexity, this is a high-reward target for opportunistic attackers. Patching is not optional; it’s an immediate imperative.

What This Means For You

  • If your organization uses DivvyDrive, you must immediately verify your version. If you are running DivvyDrive 4.8.2.9 through 4.8.3.1, you are exposed. Prioritize patching to version 4.8.3.2 or later to mitigate this critical Stored XSS vulnerability.

Indicators of Compromise

IDTypeIndicator
CVE-2026-5784 XSS DivvyDrive Information Technologies Inc. DivvyDrive
CVE-2026-5784 XSS DivvyDrive versions from 4.8.2.9 before 4.8.3.2
CVE-2026-5784 XSS Improper neutralization of input during web page generation
CVE-2026-5784 XSS Stored XSS

Written by SCW Vulnerability Desk

🔎
DivvyDrive XSS Threat Details Use /org divvydrive.com to see if this vulnerability impacts your supply chain or partners.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

DivvyDrive Open Redirect Vulnerability CVE-2026-6795 Rated Critical

CVE-2026-6795 — URL redirection to untrusted site ('open redirect') vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Parameter Injection. This issue affects DivvyDrive: from 4.8.2.9...

vulnerabilityCVEcriticalhigh-severityopen-redirectcwe-601
/SCW Vulnerability Desk /CRITICAL /9.6 /⚑ 3 IOCs

CVE-2026-41685 — Incus is a system container and virtual machine manager.

CVE-2026-41685 — Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can...

vulnerabilityCVEmedium-severitycwe-770
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-41684 — Incus is a system container and virtual machine manager.

CVE-2026-41684 — Incus is a system container and virtual machine manager. Prior to version 7.0.0, backup.GetInfo() trusts the inline backup/index.yaml config when present and only...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma