The vulnerability allows an attacker to inject arbitrary data into emails sent by the application. This is achieved by bypassing the extractFirstName function using a different whitespace character (\xa0). The injected data can be used for phishing attacks, spreading malware, damaging the brand's reputation, causing legal issues, and incurring financial costs due to unauthorized email usage.

An attacker crafts a POST request to the /v1/users/send-verification or /auth/signup endpoint, replacing normal whitespace characters in the name field with \xa0. This allows the attacker to inject malicious content into the email body, which is then sent to the victim. The victim receives an email that appears legitimate but contains harmful links or content.

Users of the application version v1.2.26 who rely on the email verification and sign-up features are affected. This includes both the application's users and the organization itself, which may suffer from brand damage, legal issues, and financial costs.