Stored XSS in Easy!Appointments by Alex Tselegidis
CVE-2026-52838

2.6LOW

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-52838?

Easy!Appointments is a self-hosted appointment scheduling tool that allows certain custom messages to be defined by administrators. In versions prior to 1.6.0, it was possible for an administrator to input potentially malicious HTML or JavaScript code into the 'disable_booking_message' setting through a rich-text editor. This insecure implementation inadvertently passed unsanitized content to users accessing the public booking page. As a result, every unauthenticated visitor is at risk of executing stored XSS attacks when viewing the booking page. This vulnerability highlights the necessity for adequate input validation and sanitization measures in web applications.

Affected Version(s)

easyappointments < 1.6.0

References

CVSS V3.1

Score:
2.6
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.