24h | 7d | 30d

CVE-2026-22236

Overview

  • Bluspark Global
  • BLUVOYIX
14 Jan 2026
Published
14 Jan 2026
Updated
CVSS v4.0
CRITICAL (10.0)
EPSS
0.16%
KEV

Description

The vulnerability exists in BLUVOYIX due to improper authentication in the BLUVOYIX backend APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable APIs. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture
Mike Spooner @shelldozer

HOLY COW, BATMAN:

Complete takeover of a high-value target system, without cracking skills, nor any complex chained attacks:

CVE-2026-22236: APIs did not check for a valid authorization token. As a result, all APIs were unauthenticated.

and

CVE-2026-22240: Plaintext passwords. There were 3 APIs that could be used to retrieve the plaintext passwords of all accounts, including admins.

eaton-works.com/2026/01/14/blu

  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-22240

Overview

  • Bluspark Global
  • BLUVOYIX
14 Jan 2026
Published
14 Jan 2026
Updated
CVSS v4.0
CRITICAL (10.0)
EPSS
0.06%
KEV

Description

The vulnerability exists in BLUVOYIX due to an improper password storage implementation and subsequent exposure via unauthenticated APIs. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the vulnerable users API to retrieve the plaintext passwords of all user users. Successful exploitation of this vulnerability could allow the attacker to gain full access to customers' data and completely compromise the targeted platform by logging in using an exposed admin email address and password.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture
Mike Spooner @shelldozer

HOLY COW, BATMAN:

Complete takeover of a high-value target system, without cracking skills, nor any complex chained attacks:

CVE-2026-22236: APIs did not check for a valid authorization token. As a result, all APIs were unauthenticated.

and

CVE-2026-22240: Plaintext passwords. There were 3 APIs that could be used to retrieve the plaintext passwords of all accounts, including admins.

eaton-works.com/2026/01/14/blu

  • 0
  • 0
  • 0
  • 12h ago
Showing 11 to 12 of 12 CVEs