CVE-2026-52838
Deferred Deferred - Pending Action

Stored XSS in Easy!Appointments Booking Page

Vulnerability report for CVE-2026-52838, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: GitHub, Inc.

Description

Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the `disable_booking_message` setting via a rich-text editor and later passed directly to the public `booking_message` view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
alextselegidis easyappointments to 1.6.0 (exc)
alextselegidis easyappointments 1.6.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-52838 is a stored cross-site scripting (XSS) vulnerability in Easy!Appointments, a self-hosted appointment scheduler. The issue affects versions prior to 1.6.0.

Authenticated administrators can define a custom 'booking disabled' message through the booking settings page. This message is stored in the `disable_booking_message` setting using a rich-text editor. The stored value is later passed directly to the public `booking_message` view without proper escaping or sanitization.

An attacker with administrative access can inject malicious HTML or JavaScript into this field. When the booking page is disabled, the unsanitized message is rendered on the public booking page, executing the injected script in the browsers of unauthenticated visitors. This can lead to actions like phishing, credential theft, or page defacement.

  • Vulnerability type: Stored XSS (Cross-Site Scripting).
  • Affected component: `disable_booking_message` setting in the booking settings page.
  • Attack vector: Authenticated administrator injects malicious code via a rich-text editor.
  • Impact: Malicious scripts execute in the browsers of unauthenticated visitors viewing the public booking page.

The vulnerability is fixed in version 1.6.0 by sanitizing the rich-text content before rendering it in the view.

Impact Analysis

If you are an end user or visitor of an Easy!Appointments instance affected by this vulnerability, the impact depends on whether the administrator account has been compromised or is malicious.

  • Malicious scripts could execute in your browser when you visit the public booking page, leading to:
  • Phishing attacks: Fake login forms or prompts could steal your credentials.
  • Credential theft: Session cookies or sensitive data could be harvested.
  • Page defacement: The booking page could be altered to display misleading or offensive content.
  • Redirection to malicious sites: You could be redirected to sites hosting malware or scams.

If you are an administrator of an affected Easy!Appointments instance:

  • Your administrative account could be used to inject malicious scripts, putting your users at risk.
  • Your organization's reputation could be damaged if users are harmed by the attack.
  • You may face legal or compliance consequences if sensitive user data is compromised.

The CVSS score of 2.6 (Low severity) reflects that exploitation requires high privileges (administrator access) and user interaction (visiting the booking page), but the impact can still be significant depending on the attacker's goals.

Compliance Impact

This vulnerability can impact compliance with several standards and regulations, depending on the context in which Easy!Appointments is used.

  • GDPR (General Data Protection Regulation):
  • If the XSS attack leads to the theft of personal data (e.g., credentials, session cookies, or other sensitive information) of EU citizens, it could violate GDPR's requirements for data protection and security.
  • Organizations must implement appropriate technical measures to protect personal data. Failure to patch or mitigate this vulnerability could be seen as a lapse in security, potentially leading to fines or legal action.
  • HIPAA (Health Insurance Portability and Accountability Act):
  • If Easy!Appointments is used in a healthcare setting to manage patient appointments, an XSS attack could compromise protected health information (PHI).
  • HIPAA requires covered entities to implement safeguards to protect PHI. A successful XSS attack could be considered a security incident, requiring notification and potentially leading to penalties.
  • PCI DSS (Payment Card Industry Data Security Standard):
  • If the booking system handles payment information (e.g., credit card details) and the XSS attack leads to the theft of such data, it could violate PCI DSS requirements for securing cardholder data.
  • Organizations must ensure that all systems handling payment data are secure. An XSS vulnerability could be seen as a failure to maintain a secure environment.
  • ISO 27001:
  • This standard requires organizations to implement controls to manage information security risks. An unpatched XSS vulnerability could be considered a failure to apply necessary security controls, potentially leading to non-compliance.

In summary, while the vulnerability itself may not directly violate these regulations, its exploitation could lead to breaches of data protection requirements, resulting in compliance violations and potential legal or financial consequences.

Detection Guidance

To detect this vulnerability on your system, you can check if your instance of Easy!Appointments is running a version prior to 1.6.0, as these versions are affected by the stored XSS issue in the 'disable_booking_message' setting.

  • Verify the installed version of Easy!Appointments by checking the application's version number in the admin dashboard or inspecting the source code for version metadata.
  • Inspect the 'disable_booking_message' setting in the database or admin panel for any suspicious HTML or JavaScript code. Look for script tags, event handlers, or other malicious payloads.
  • Manually test the public booking page by enabling the disabled-booking mode and checking if the message renders raw HTML or executes scripts. Open the browser's developer tools (F12) and monitor the console for any unexpected script execution.
  • Use a web vulnerability scanner like OWASP ZAP or Burp Suite to scan the public booking page for stored XSS vulnerabilities. These tools can automate the detection of improperly sanitized inputs.
Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps:

  • Upgrade Easy!Appointments to version 1.6.0 or later, as this version includes the fix for the stored XSS vulnerability. The fix involves sanitizing the 'disable_booking_message' field before rendering it on the public booking page.
  • If upgrading is not immediately possible, manually sanitize the 'disable_booking_message' setting by removing any HTML or JavaScript code from the field in the admin panel. Replace it with plain text to prevent script execution.
  • Temporarily disable the disabled-booking mode to prevent the malicious message from being displayed to unauthenticated visitors until the upgrade or manual sanitization is complete.
  • Review the 'disable_booking_message' setting in the database or admin panel for any signs of tampering. If suspicious content is found, log the incident and investigate further for potential compromise.
  • Monitor the public booking page for unusual activity, such as unexpected redirects, pop-ups, or defacement, which could indicate exploitation of the vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-52838. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart