High severity8.8NVD Advisory· Published Jan 15, 2026· Updated Apr 29, 2026
CVE-2026-23622
CVE-2026-23622
Description
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
alextselegidis/easyappointmentsPackagist | <= 1.5.2 | — |
Affected products
1- cpe:2.3:a:easyappointments:easy\!appointments:*:*:*:*:*:-:*:*Range: <=1.5.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-54v4-4685-vwrjghsaADVISORY
- github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrjnvdVendor AdvisoryExploitWEB
- nvd.nist.gov/vuln/detail/CVE-2026-23622ghsaADVISORY
- github.com/alextselegidis/easyappointments/blob/41c9b93a5a2c185a914f204412324d8980943fd5/application/core/EA_Security.phpghsaWEB
News mentions
0No linked articles in our index yet.