CVE-2026-23622
- Source
- https://cve.org/CVERecord?id=CVE-2026-23622
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-23622.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-23622
- Aliases
- Published
- 2026-01-15T19:28:58.369Z
- Modified
- 2026-01-16T02:50:50.745568Z
- Severity
-
- 7.4 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P CVSS Calculator
- Summary
- CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover
- Details
-
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EASecurity.php::csrfverify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
- Database specific
{ "cwe_ids": [ "CWE-352" ], "cna_assigner": "GitHub_M", "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/23xxx/CVE-2026-23622.json" }- References
Affected packages
Git / github.com/alextselegidis/easyappointments
Affected versions
1.*
1.1.0
1.1.0-beta.1
1.1.0-beta.2
1.1.1
1.2.0
1.2.0-alpha.1
1.2.0-beta.1
1.2.1
1.3.0
1.3.0-alpha.1
1.3.0-beta.1
1.3.0-beta.2
1.3.1
1.3.1-beta.1
1.3.2
1.3.2-beta.1
1.4.0
1.4.0-beta.1
1.4.1
1.4.2
1.4.2-beta.1
1.4.3
1.4.3-beta.1
1.5.0
1.5.0-alpha.1
1.5.0-beta.1
1.5.0-dev.1
1.5.0-dev.2
1.5.0-dev.3
1.5.0-dev.4
1.5.1
1.5.1-beta.1
1.5.2
1.5.2-beta.1