CVE-2026-23622
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-04-29

Assigner: GitHub, Inc.

Description
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-14
NVD
CVE-2026-23622
EUVD
EUVD-2026-2736
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alextselegidis easyappointments to 1.5.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a critical Cross-Site Request Forgery (CSRF) issue in Easy!Appointments. The application only enforces CSRF token validation for POST requests, ignoring other HTTP methods like GET. Some endpoints perform state-changing operations via GET parameters without CSRF protection. An attacker can exploit this by tricking an authenticated admin into visiting a malicious page that sends crafted GET requests, allowing actions like creating admin accounts or changing admin credentials without authorization. [1]

Impact Analysis

The vulnerability can lead to severe impacts including creation of unauthorized admin accounts, modification of admin emails and passwords, and ultimately full administrative account takeover. This means an attacker can completely compromise the application instance, gaining full control over it. [1]

Detection Guidance

You can detect this vulnerability by monitoring HTTP requests to the Easy!Appointments application for state-changing operations performed via GET requests. Specifically, look for requests to endpoints such as index.php/admins/store, index.php/admins/update, and index.php/account/save that include parameters in the URL or $_REQUEST. Commands like using curl or network monitoring tools to capture and analyze GET requests to these endpoints can help identify potential exploitation attempts. For example, you can use: curl -v 'http://yourserver/index.php/admins/store?param=value' to test if state changes are accepted via GET. Additionally, reviewing server logs for unusual GET requests that modify data can help detect exploitation. [1]

Mitigation Strategies

Immediate mitigation steps include applying a minimal core fix that enforces CSRF token validation for all HTTP methods except those explicitly whitelisted, thereby preventing CSRF attacks via GET requests. Additionally, restrict state-changing operations to appropriate HTTP methods such as POST, PUT, or DELETE. If possible, implement re-authentication or confirmation for critical operations like email or password changes. Setting secure cookie flags such as SameSite, Secure, and HttpOnly is also recommended to enhance security. Since no patched versions are available at the time of the report, these configuration and code changes are essential to reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23622. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart