Aggregates CVE and security vulnerability intelligence across all easyappointments-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Common weakness patterns include vendor risk cross-site scripting, vendor risk csrf, and vendor risk sql injection, with potential vendor impact session compromise across vendor surface production workloads use cases.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-23622 | Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full ad | [email protected] | 7.4 | 0.20% | 2026-01-15 | 2026-06-17 |
| CVE-2025-50383 | alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter. | [email protected] | 8.1 | 0.35% | 2025-08-25 | 2026-06-17 |
| CVE-2025-29448 | Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability. | [email protected] | 7.5 | 0.54% | 2025-05-07 | 2026-06-17 |
| CVE-2025-31828 | Cross-Site Request Forgery (CSRF) vulnerability in alextselegidis Easy!Appointments easyappointments allows Cross Site Request Forgery.This issue affects Easy!Appointments: from n/a through <= 1.4.2. | [email protected] | 4.3 | 0.21% | 2025-04-01 | 2026-06-17 |
| CVE-2024-57602 | An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file. | [email protected] | 9.8 | 0.77% | 2025-02-12 | 2026-06-17 |
| CVE-2024-57601 | Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter. | [email protected] | 6.1 | 0.47% | 2025-02-12 | 2026-06-17 |
| CVE-2023-3290 | A BOLA vulnerability in POST /customers allows a low privileged user to create a low privileged user (customer) in the system. This results in unauthorized data manipulation. | [email protected] | 5.0 | 0.29% | 2024-07-09 | 2026-06-17 |
| CVE-2023-3289 | A BOLA vulnerability in POST /services allows a low privileged user to create a service for any user in the system (including admin). This results in unauthorized data manipulation. | [email protected] | 7.7 | 0.33% | 2024-07-09 | 2026-06-17 |
| CVE-2023-3288 | A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation. | [email protected] | 8.5 | 0.35% | 2024-07-09 | 2026-06-17 |
| CVE-2023-3287 | A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation. | [email protected] | 9.9 | 0.43% | 2024-07-09 | 2026-06-17 |
| CVE-2023-3286 | A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation. | [email protected] | 7.7 | 0.33% | 2024-07-09 | 2026-06-17 |
| CVE-2023-38055 | A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | [email protected] | 9.6 | 0.39% | 2024-07-09 | 2026-06-17 |
| CVE-2023-38054 | A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation. | [email protected] | 9.9 | 0.40% | 2024-07-09 | 2026-06-17 |
| CVE-2023-38053 | A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | [email protected] | 9.9 | 0.40% | 2024-07-09 | 2026-06-17 |
| CVE-2023-38052 | A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation. | [email protected] | 9.9 | 0.40% | 2024-07-09 | 2026-06-17 |
| CVE-2023-38051 | A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation. | [email protected] | 9.9 | 0.40% | 2024-07-09 | 2026-06-17 |
| CVE-2023-38050 | A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | [email protected] | 9.1 | 0.36% | 2024-07-09 | 2026-06-17 |
| CVE-2023-38049 | A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | [email protected] | 9.9 | 0.41% | 2024-07-09 | 2026-06-17 |
| CVE-2023-38048 | A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation. | [email protected] | 9.9 | 0.40% | 2024-07-09 | 2026-06-17 |
| CVE-2023-38047 | A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized data manipulation. | [email protected] | 8.5 | 0.37% | 2024-07-09 | 2026-06-17 |