Vulnerability Description
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Easyappointments | Easy\!Appointments | <= 1.5.2 |
Related Weaknesses (CWE)
References
- https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4Vendor AdvisoryExploit
- https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4Vendor AdvisoryExploit
FAQ
What is CVE-2026-23622?
CVE-2026-23622 is a vulnerability with a CVSS score of 8.8 (HIGH). Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST meth...
How severe is CVE-2026-23622?
CVE-2026-23622 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23622?
Check the references section above for vendor advisories and patch information. Affected products include: Easyappointments Easy\!Appointments.