Description
The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.
Published: 2026-01-14
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Credential theft and full platform compromise
Action: Immediate Patch
AI Analysis

Impact

The flaw stems from storing user passwords in plaintext within BLUVOYIX and exposing them through an unauthenticated API. An attacker can send crafted HTTP requests to the users API endpoint to retrieve the plaintext credentials for every account. With these credentials, the attacker can log into the platform using an exposed administrative email and password, granting complete control over customer data and potentially enabling further compromise of the system.

Affected Systems

The vulnerability affects all releases of BLUVOYIX from Bluspark Global. No specific version constraints were provided, so any currently deployed instance is potentially vulnerable.

Risk and Exploitability

The CVSS score of 10 classifies this as a critical vulnerability, while the EPSS score indicates a very low but non‑zero likelihood of exploitation. Because the API is unauthenticated, an attacker does not need any privileges to exploit it. The impact is full platform compromise and credential theft. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on April 18, 2026 at 16:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and deploy the vendor patch or upgrade BLUVOYIX to a version that securely stores passwords using salted hashing.
  • Block or secure the vulnerable API endpoints, allowing only authenticated or internal traffic with firewall rules or network segmentation.
  • Force a comprehensive password reset for all users, especially administrative accounts, after remediation, and enforce multi‑factor authentication if supported.

Generated by OpenCVE AI on April 18, 2026 at 16:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://blusparkglobal.com/bluvoyix/ cve-icon cve-icon
History

Mon, 02 Feb 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Blusparkglobal
Blusparkglobal bluvoyix
CPEs cpe:2.3:a:blusparkglobal:bluvoyix:-:*:*:*:*:*:*:*
Vendors & Products Blusparkglobal
Blusparkglobal bluvoyix
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Thu, 15 Jan 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Bluspark Global
Bluspark Global bluvoyix
Vendors & Products Bluspark Global
Bluspark Global bluvoyix

Wed, 14 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 14 Jan 2026 15:00:00 +0000

Type Values Removed Values Added
Description The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.
Title Plaintext Passwords Vulnerability in BLUVOYIX
Weaknesses CWE-200
CWE-312
CWE-522
References
Metrics cvssV4_0

{'score': 10, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/RE:M/U:Red'}

Subscriptions

Bluspark Global Bluvoyix
Blusparkglobal Bluvoyix
cve-icon MITRE

Status: PUBLISHED

Assigner: MHV

Published:

Updated: 2026-01-14T14:58:59.484Z

Reserved: 2026-01-06T23:20:59.365Z

Link: CVE-2026-22240

cve-icon Vulnrichment

Updated: 2026-01-14T14:58:51.452Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-14T15:16:05.413

Modified: 2026-02-02T15:50:22.353

Link: CVE-2026-22240

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:30:05Z

Weaknesses