Data Exposure Vulnerability in Easy!Appointments by Alex Tselegidis
CVE-2026-52837
6.9MEDIUM
What is CVE-2026-52837?
Easy!Appointments, a widely used self-hosted appointment scheduling tool, has a vulnerability in its booking rescheduling process. In versions up to 1.5.2, the application exposes customer data through an unsecured JavaScript object on the /index.php/booking/reschedule/{appointment_hash} page. This flaw allows any user with access to a 12-character appointment hash—found in confirmation emails and URLs—to obtain sensitive information from the ea_users table without proper authentication or filtering. A patch was introduced in version 1.6.0 to address this significant privacy risk.
Affected Version(s)
easyappointments < 1.6.0
