Stored XSS in Easy!Appointments by Alex Tselegidis
CVE-2026-52838
2.6LOW
What is CVE-2026-52838?
Easy!Appointments is a self-hosted appointment scheduling tool that allows certain custom messages to be defined by administrators. In versions prior to 1.6.0, it was possible for an administrator to input potentially malicious HTML or JavaScript code into the 'disable_booking_message' setting through a rich-text editor. This insecure implementation inadvertently passed unsanitized content to users accessing the public booking page. As a result, every unauthenticated visitor is at risk of executing stored XSS attacks when viewing the booking page. This vulnerability highlights the necessity for adequate input validation and sanitization measures in web applications.
Affected Version(s)
easyappointments < 1.6.0
