๐Ÿ” CVE Alert

CVE-2026-52838

LOW 2.6

Easy!Appointments disable_booking_message rendered as raw HTML on public booking page โ€” Stored XSS

CVSS Score
2.6
EPSS Score
0.0%
EPSS Percentile
0th

Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the `disable_booking_message` setting via a rich-text editor and later passed directly to the public `booking_message` view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue.

CWE CWE-79
Vendor alextselegidis
Product easyappointments
Published Jul 14, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for alextselegidis easyappointments

Be the first to know when new low vulnerabilities affecting alextselegidis easyappointments are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Affected Versions

alextselegidis / easyappointments
< 1.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-996f-334j-67g7 github.com: https://github.com/alextselegidis/easyappointments/commit/629a0415f54f75556c17f4f5d9c77fda1fdbdeae