Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Network-reachable endpoint needs only a low-privileged authenticated account (PR:L, AC:L, UI:N); hash leak is limited confidentiality (C:L) but enables high-impact tampering with others' appointments (I:H).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Easy!Appointments is a self hosted appointment scheduler. In version 1.5.2, an Excessive Data Exposure vulnerability in the customers search endpoint allows an authenticated user to obtain appointment hashes belonging to other users. Using these hashes, an attacker can modify or delete appointments of other providers, resulting in an Appointments Takeover. Version 1.6.0 fixes the issue.
AnalysisAI
Broken object-level authorization in Easy!Appointments 1.5.2 lets any authenticated user query the customers search endpoint to harvest the appointment hash tokens of other users and providers. Because these hashes act as the access control for appointment operations, an attacker can then edit or delete appointments they do not own, achieving a full Appointments Takeover across other providers. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an authenticated account on the target Easy!Appointments instance (CVSS PR:L) and access to the customers search endpoint, which returns appointment hashes of other users beyond the caller's authorization scope; possession of a leaked hash is the concrete prerequisite for the follow-on modify/delete actions. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N, base 7.1) signals a network-reachable, low-complexity attack that requires only a low-privileged authenticated account and no user interaction, with limited confidentiality loss but high integrity impact - consistent with the description in which a leaked hash enables tampering with other providers' bookings. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A registered low-privileged user on a shared Easy!Appointments 1.5.2 instance calls the customers search endpoint and receives appointment hashes belonging to other users and providers in the response. Reusing those hashes against the appointment modify/delete functions, the attacker reschedules or cancels bookings they do not own, disrupting other providers' schedules. … |
| Remediation | Vendor-released patch: upgrade to Easy!Appointments 1.6.0, which fixes the excessive data exposure in the customers search endpoint per advisory GHSA-4vmm-5qvc-w5p7 (https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-4vmm-5qvc-w5p7). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, review access logs on the customers search endpoint to identify suspicious queries from authenticated users. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Easyappointments
View allAn issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php f
Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated critical severi
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments p
Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS 8.8), th
API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS
Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbit
Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium severity (CVSS
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se
Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Ra
Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated low severity (CVSS 3.8), this
The reschedule endpoint in Easy!Appointments 1.5.2 and earlier exposes the complete customer database record to any part
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43726