๐Ÿ” CVE Alert

CVE-2026-52837

UNKNOWN 0.0

Easy!Appointments has unauthenticated customer PII disclosure on booking reschedule page

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Easy!Appointments is a self hosted appointment scheduler. In versions up to and including 1.5.2, the booking reschedule view at `/index.php/booking/reschedule/{appointment_hash}` (handled by `Booking::index()`) embeds the entire customer record as inline JavaScript (`const vars = {... "customer_data": {...}, ...}`) without authentication and without field whitelisting. Anyone in possession of the 12-character `appointment_hash` โ€” which appears in plain text in reschedule emails, confirmation page URLs, and operator-side calendar links โ€” can read every column of that customer's row in the `ea_users` table. Version 1.6.0 contains a patch.

CWE CWE-200 CWE-639
Vendor alextselegidis
Product easyappointments
Published Jul 14, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for alextselegidis easyappointments

Be the first to know when new unknown vulnerabilities affecting alextselegidis easyappointments are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

alextselegidis / easyappointments
< 1.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-xgr6-pqjv-3pf8 github.com: https://github.com/alextselegidis/easyappointments/commit/725eafa647308846ce887657db12771a829e42ef