CRITICAL🇵🇱 Wersja polska

CVE-2026-22239

CVSS 10.0v4.0pub. 2026-01-14upd. 2026-02-02

The vulnerability exists in BLUVOYIX due to design flaws in the email sending API. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable email sending API. Successful exploitation of this vulnerability could allow the attacker to send unsolicited emails to anyone on behalf of the company.

🤖 AI Analysis
How it works

The vulnerability (CWE-400 — uncontrolled resource consumption) results from the lack of proper authentication mechanisms and access restrictions to the email sending API. An attacker sends specially crafted HTTP requests to the vulnerable API endpoint without needing any credentials. As a result, the server processes the requests and sends emails to any recipients, impersonating the domain or identity of the organization using Bluvoyix.

Impact

An attacker can send unsolicited or malicious emails without restrictions to any recipients on behalf of the company, which may lead to serious reputational damage, domain reputation breach, server placement on blacklists, and potential abuse for phishing or spam campaigns.

Mitigation & patch

Patches available from the vendor should be applied according to the references. As a temporary workaround, it is recommended to restrict access to the email sending API endpoint at the firewall or application gateway (WAF) level to trusted sources only, and to implement authentication mechanisms and request rate limiting.

Who is affected

Blusparkglobal Bluvoyix product — versions indicated in the vendor's references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:H/U:Amber
  • Blusparkglobal Bluvoyix

    APP
    Blusparkglobal
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-22236CRITICAL10.0PL ✓ten sam produkt

Pominięcie uwierzytelnienia w Blusparkglobal BLUVOYIX (Auth Bypass)

CVE-2026-22237CRITICAL10.0PL ✓ten sam produkt

Ujawnienie wewnętrznej dokumentacji API w Blusparkglobal BLUVOYIX

CVE-2026-22238CRITICAL10.0PL ✓ten sam produkt

Brak uwierzytelnienia w admin API Blusparkglobal BLUVOYIX — pełne przejęcie platformy

CVE-2026-22240CRITICAL10.0PL ✓ten sam produkt

BLUVOYIX: ujawnienie haseł w postaci jawnej przez nieuwierzytelnione API