CVE-2026-22237

Critical

Published: 14 January 2026

Published

14 January 2026

Modified

02 February 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0062 70.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The vulnerability exists in BLUVOYIX due to the exposure of sensitive internal API documentation. An unauthenticated remote attacker could exploit this vulnerability by sending specially crafted HTTP requests to the APIs exposed by the documentation. Successful exploitation of this vulnerability…

could allow the attacker to cause damage to the targeted platform by abusing internal functionality.

Mitigating Controls (NIST 800-53 r5)AI

AC-22 Publicly Accessible Content good match

prevent

Directly requires organizations to review, approve, and manage publicly accessible content to prevent exposure of sensitive internal API documentation.

SC-14 Public Access Protections good match

prevent

Provides protections for information accessible from public networks, directly addressing risks from exposed sensitive API documentation.

SC-7 Boundary Protection partial match

preventdetect

Monitors and controls communications at system boundaries to block exploitation of internal APIs via crafted HTTP requests informed by the exposed documentation.

Security SummaryAI

CVE-2026-22237 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) published on 2026-01-14, affecting BLUVOYIX. It arises from the exposure of sensitive internal API documentation (CWE-200), which reveals details about internal APIs that should not be publicly accessible.

An unauthenticated remote attacker can exploit this vulnerability over the network with low complexity by sending specially crafted HTTP requests to the APIs exposed through the documentation. Successful exploitation enables the attacker to abuse internal functionality, resulting in high-impact damage to the targeted platform across confidentiality, integrity, and availability.

Mitigation guidance is available in the vendor advisory at https://blusparkglobal.com/bluvoyix/.

Details

CWE(s): CWE-200

Affected Products

blusparkglobal

bluvoyix

all versions

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability exposes sensitive internal API documentation, allowing unauthenticated remote attackers to send crafted HTTP requests to abuse public-facing APIs, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://blusparkglobal.com/bluvoyix/
Product · 56a186b1-7f5e-4314-ba38-38d5499fccfd