{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23622", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-14T16:08:37.482Z", "datePublished": "2026-01-15T19:28:58.369Z", "dateUpdated": "2026-01-15T21:34:43.098Z"}, "containers": {"cna": {"title": "CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj"}], "affected": [{"vendor": "alextselegidis", "product": "easyappointments", "versions": [{"version": "<= 1.5.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T19:28:58.369Z"}, "descriptions": [{"lang": "en", "value": "Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover."}], "source": {"advisory": "GHSA-54v4-4685-vwrj", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-15T21:34:33.677067Z", "id": "CVE-2026-23622", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T21:34:43.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23622", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-15T21:34:33.677067Z"}}}], "references": [{"url": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-15T21:34:14.796Z"}}], "cna": {"title": "CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover", "source": {"advisory": "GHSA-54v4-4685-vwrj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.4, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "alextselegidis", "product": "easyappointments", "versions": [{"status": "affected", "version": "<= 1.5.2"}]}], "references": [{"url": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj", "name": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-15T19:28:58.369Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23622", "state": "PUBLISHED", "dateUpdated": "2026-01-15T21:34:43.098Z", "dateReserved": "2026-01-14T16:08:37.482Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-15T19:28:58.369Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:easyappointments:easy\\!appointments:*:*:*:*:*:-:*:*", "matchCriteriaId": "58620CF3-2F83-4032-B0F3-8D04ED54778F", "versionEndIncluding": "1.5.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover."}, {"lang": "es", "value": "Easy!Appointments es un programador de citas autoalojado. En 1.5.2 y versiones anteriores, application/core/EA_Security.php::csrf_verify() solo aplica CSRF para solicitudes POST y retorna anticipadamente para m\u00e9todos que no son POST. Varios puntos finales de la aplicaci\u00f3n realizan operaciones que cambian el estado mientras aceptan par\u00e1metros de GET (o $_REQUEST), por lo que un atacante puede realizar CSRF forzando al navegador de una v\u00edctima a emitir una solicitud GET manipulada. Impacto: creaci\u00f3n de cuentas de administrador, modificaci\u00f3n de correo electr\u00f3nico/contrase\u00f1a de administrador y toma de control total de la cuenta de administrador."}], "id": "CVE-2026-23622", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-01-15T20:16:05.773", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory", "Exploit"], "url": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:09:44.153659+00:00", "value": {"mitigation_remediation": ["Upgrade Easy!Appointments to the latest available version, which applies CSRF checks to all state\u2011changing actions.", "If an upgrade is not immediately possible, configure the web server or application routing to disallow GET (and other non\u2011POST) requests to the endpoints that perform administrative changes, ensuring they only respond to authenticated POST requests with valid CSRF tokens.", "Validate all incoming requests to sensitive endpoints to enforce that the HTTP method is POST and that a valid anti\u2011CSRF token is present before processing, thereby restoring protection against cross\u2011site request forgery."], "summary": {"action": "Patch Immediately", "impact": "Privilege escalation through CSRF leading to administrative takeover"}, "threat_synthesis": {"affected_systems": "The product affected is Easy!Appointments (easy!appointments) version 1.5.2 and all earlier releases. The vulnerability resides in the core file EA_Security.php, where CSRF checks are skipped for non\u2011POST methods.", "description_and_impact": "Easy!Appointments 1.5.2 and earlier contain a flaw where CSRF verification is only applied to POST requests, while several endpoints that alter state accept parameters from GET or $_REQUEST. The flaw allows an attacker to craft GET requests that are processed as state\u2011changing actions, enabling the creation of new admin accounts, modification of admin credentials, and full takeover of administrative sessions. This deficiency maps to CWE\u2011352, a missing or improper protection against Cross\u2011Site Request Forgery.", "risk_and_exploitability": "The CVSS score is 7.4, indicating a high severity for privilege escalation. The EPSS score is listed as <1%, implying a low current exploitation probability, and the vulnerability is not in the CISA KEV catalog. The likely attack vector is a web\u2011browser CSRF, where a malicious site or email links a victim to a crafted GET request targeting the vulnerable endpoint. Once a victim's authenticated session is used to visit the URL, the state\u2011changing operation executes without a CSRF token, granting the attacker administrative privileges. The impact is limited to the affected Easy!Appointments instance, but the consequences are significant due to full admin takeover."}}}}, "created": "2026-01-16T13:42:51.316687+00:00", "updated": "2026-04-18T16:15:04.604149+00:00", "vendors": ["alextselegidis", "alextselegidis$PRODUCT$easyappointments"]}