The identified flaw resides in the email sending interface of BLUVOYIX. An unauthenticated remote actor can craft HTTP requests targeted at the email API. By triggering this entry point, the application will relay the supplied message to any recipient, effectively allowing the attacker to send unsolicited or potentially malicious emails on behalf of the organization. The absence of authentication checks removes the requirement for elevated privileges, giving the adversary broad reach to any user address stored in or reachable by the system.

The impacted product is Bluspark Global’s BLUVOYIX email platform. No specific version information is provided, so all deployed instances should be treated as vulnerable until a patch or advisory is released by the vendor.

The CVSS base score of 10 underscores the critical nature of this vulnerability, while an EPSS score of less than 1% indicates a very low likelihood of immediate exploitation in the wild. Nevertheless, because the flaw allows an attacker to send arbitrary emails without credentials, it poses a serious threat to the organization’s reputation and could serve as a conduit for phishing or spam campaigns. The vulnerability is not currently listed in CISA’s Known Exploited Vulnerabilities catalog, which suggests no publicly documented exploits yet. Exploitation prerequisites are minimal: the attacker simply needs to reach the exposed API endpoint over HTTP, forming a crafted request. No additional software or privileged access is required.