CVE-2026-6795
DivvyDrive Information Technologies Inc. · DivvyDrive
DivvyDrive contains an open redirect vulnerability that facilitates parameter injection, potentially allowing attackers to redirect users to malicious external domains.
Executive summary
A critical open redirect and parameter injection vulnerability in DivvyDrive exposes users to phishing and malicious redirection, warranting immediate attention.
Vulnerability
The software fails to properly validate user-supplied input in URL parameters, leading to an open redirect flaw. An unauthenticated attacker can leverage this to inject arbitrary parameters, potentially tricking users into interacting with malicious third-party content.
Business impact
With a CVSS score of 9.6, this vulnerability poses a significant risk to organizational security. Successful exploitation can facilitate sophisticated phishing campaigns, leading to credential theft, unauthorized data access, and severe reputational damage.
Remediation
Immediate Action: Upgrade to DivvyDrive version 4.8.3.2 or the latest available release provided by the vendor.
Proactive Monitoring: Review web server access logs for anomalous URL parameters and unexpected redirects to external domains.
Compensating Controls: Implement strict allow-lists for redirect destinations within your Web Application Firewall (WAF) to prevent unauthorized external redirection.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical CVSS severity, administrators should prioritize patching DivvyDrive to version 4.8.3.2 immediately. Failure to address this vulnerability increases the risk of successful social engineering attacks against your user base.