SSRF Vulnerability in Easy!Appointments Appointment Scheduler
CVE-2026-52840

2.7LOW

Key Information:

Vendor
CVE Published:
14 July 2026

What is CVE-2026-52840?

In the Easy!Appointments application, versions prior to 1.6.0 have a vulnerability that allows a logged-in user to perform Server-Side Request Forgery (SSRF) via the Caldav::connect_to_server function. This issue arises because the caldav_url provided by the user is sent to a Guzzle REPORT call without proper validation of the scheme or host. As a result, an attacker could exploit this by sending requests to internal network services without detection, leading to potential information leakage. The vulnerability has been patched in version 1.6.0, which is essential for users to upgrade to in order to secure their applications.

Affected Version(s)

easyappointments < 1.6.0

References

CVSS V3.1

Score:
2.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.