Main Vulnerability Database Vulnerabilities #VU134528

Authorization bypass through user-controlled key in Easy!Appointments - CVE-2026-52837

Published: June 15, 2026

Vulnerability identifier: #VU134528

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-52837

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: A.Tselegidis

Affected software:
Easy!Appointments

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to authorization bypass through user-controlled key in the booking reschedule view when handling a GET request to /index.php/booking/reschedule/{appointment_hash}. A remote attacker can send a request with a valid appointment hash to disclose sensitive information.

The response embeds the full customer record as inline JavaScript, exposing fields beyond those required by the reschedule interface.

How to mitigate CVE-2026-52837

Install security update from vendor's website.

Sources

https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-xgr6-pqjv-3pf8

Authorization bypass through user-controlled key in Easy!Appointments - CVE-2026-52837

Detailed vulnerability description

How to mitigate CVE-2026-52837

Sources

Please verify you're human