SSRF Vulnerability in Easy!Appointments Appointment Scheduler
CVE-2026-52840
2.7LOW
What is CVE-2026-52840?
In the Easy!Appointments application, versions prior to 1.6.0 have a vulnerability that allows a logged-in user to perform Server-Side Request Forgery (SSRF) via the Caldav::connect_to_server function. This issue arises because the caldav_url provided by the user is sent to a Guzzle REPORT call without proper validation of the scheme or host. As a result, an attacker could exploit this by sending requests to internal network services without detection, leading to potential information leakage. The vulnerability has been patched in version 1.6.0, which is essential for users to upgrade to in order to secure their applications.
Affected Version(s)
easyappointments < 1.6.0
