216.73.216.169

CVE-2026-23622

· Published 15/01/2026 20:16 · Modified 16/01/2026 15:55

Labels: CVE-2026-23622 2026-01-15CVE-2026-23622CWE-352[email protected]

Essential information

Published
15/01/2026 20:16
Modified
16/01/2026 15:55
Author
Creator
CVSS
8.7 HIGH (v3) 8.7 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
easy-appointments / easy-appointments cpe:2.3:a:easy-appointments:easy-appointments:<1.5.2:*:*:*:*:*:*:*

References