Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 14 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Alextselegidis
Alextselegidis easyappointments |
|
| Vendors & Products |
Alextselegidis
Alextselegidis easyappointments |
Tue, 14 Jul 2026 15:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the `disable_booking_message` setting via a rich-text editor and later passed directly to the public `booking_message` view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue. | |
| Title | Easy!Appointments disable_booking_message rendered as raw HTML on public booking page — Stored XSS | |
| Weaknesses | CWE-79 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-14T16:26:53.608Z
Reserved: 2026-06-08T18:41:27.724Z
Link: CVE-2026-52838
Updated: 2026-07-14T16:01:22.050Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-14T16:45:04Z