PT-2026-58066 · Unknown · Easyappointments

Published

2026-07-14

·

Updated

2026-07-14

·

CVE-2026-52838

CVSS v3.1

2.6

Low

VectorAV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Easy!Appointments versions prior to 1.6.0
Description An authenticated administrator can execute a stored Cross-Site Scripting (XSS) attack—a vulnerability where malicious scripts are permanently stored on the target server—by injecting HTML or JavaScript into the disable booking message setting via the booking settings page. This value is subsequently passed to the public booking message view without proper escaping or sanitization, allowing the script to execute in the browser of any unauthenticated visitor who accesses the public booking page while disabled-booking mode is active.
Recommendations Update to version 1.6.0.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-52838
GHSA-996F-334J-67G7

Affected Products

Easyappointments