๐Ÿ” CVE Alert

CVE-2026-52839

LOW 3.3

Easy!Appointments appointments/store and appointments/update allow cross-provider appointment injection โ€” Authorization Bypass

CVSS Score
3.3
EPSS Score
0.1%
EPSS Percentile
4th

Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 correctly filter provider-scoped appointments in the `appointments/search` response, proving that provider isolation is an intended security boundary. However, the direct mutation endpoints `appointments/store` and `appointments/update` only check generic appointment privileges and never verify that the submitted `id_users_provider` belongs to the current session. A normal authenticated provider can inject new appointments into another provider's schedule via `store`, or reassign existing appointments into a foreign provider's calendar via `update`. The `store` path contains an additional write-before-crash bug: the unauthorized row is committed to the database before the controller crashes on a type error, so the attacker receives an error response while the foreign appointment is already persisted. Version 1.6.0 patches the issue.

CWE CWE-639 CWE-862
Vendor alextselegidis
Product easyappointments
Published Jul 14, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for alextselegidis easyappointments

Be the first to know when new low vulnerabilities affecting alextselegidis easyappointments are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

alextselegidis / easyappointments
< 1.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-w8xc-8g92-v77h github.com: https://github.com/alextselegidis/easyappointments/commit/4abb10545d83ac1a57d03f6502376ee67696ea7c