Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the `disable_booking_message` setting via a rich-text editor and later passed directly to the public `booking_message` view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue.

Project Subscriptions

Vendors Products
Alextselegidis Subscribe
Easyappointments Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 14 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Alextselegidis
Alextselegidis easyappointments
Vendors & Products Alextselegidis
Alextselegidis easyappointments

Tue, 14 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the `disable_booking_message` setting via a rich-text editor and later passed directly to the public `booking_message` view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue.
Title Easy!Appointments disable_booking_message rendered as raw HTML on public booking page — Stored XSS
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 2.6, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:N/I:L/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-14T16:26:53.608Z

Reserved: 2026-06-08T18:41:27.724Z

Link: CVE-2026-52838

cve-icon Vulnrichment

Updated: 2026-07-14T16:01:22.050Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-14T16:45:04Z

Weaknesses