Home > Vulnerability Database > CVE-2026-23622

Mend.io Vulnerability Database

CVE-2026-23622

Good to know:

Date: January 15, 2026

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.

Severity Score

8.8

Related Resources (5)

Url: https://github.com/alextselegidis/easyappointments

Url: https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj

Url: https://github.com/alextselegidis/easyappointments/blob/41c9b93a5a2c185a914f204412324d8980943fd5/application/core/EA_Security.php#L52

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23622

Url: https://www.mend.io/vulnerability-database/CVE-2026-23622

Severity Score

8.8

Weakness Type (CWE)

Cross-Site Request Forgery (CSRF)

CWE-352

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23622

Good to know:

Date: January 15, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?