Data Exposure Vulnerability in Easy!Appointments by Alex Tselegidis
CVE-2026-52837

6.9MEDIUM

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-52837?

Easy!Appointments, a widely used self-hosted appointment scheduling tool, has a vulnerability in its booking rescheduling process. In versions up to 1.5.2, the application exposes customer data through an unsecured JavaScript object on the /index.php/booking/reschedule/{appointment_hash} page. This flaw allows any user with access to a 12-character appointment hash—found in confirmation emails and URLs—to obtain sensitive information from the ea_users table without proper authentication or filtering. A patch was introduced in version 1.6.0 to address this significant privacy risk.

Affected Version(s)

easyappointments < 1.6.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.