CVE-2026-52838 in easyappointments
Summary
by MITRE • 07/14/2026
Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the `disable_booking_message` setting via a rich-text editor and later passed directly to the public `booking_message` view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/14/2026
This vulnerability exists within Easy!Appointments version 1.5.0 and earlier, representing a critical stored cross-site scripting flaw that affects the application's public booking interface. The vulnerability stems from insufficient input sanitization and output escaping mechanisms within the administrative settings configuration. An authenticated administrator with access to the booking settings page can manipulate the `disable_booking_message` parameter through a rich-text editor interface, allowing arbitrary HTML and JavaScript code injection into the application's database storage.
The technical exploitation occurs when an attacker stores malicious content in the booking disabled message field while the system is configured to display this message to users. When unauthenticated visitors access the public booking page, the stored content is rendered directly without proper HTML escaping or sanitization, creating a persistent XSS vector that affects all visitors regardless of authentication status. This vulnerability specifically maps to CWE-79 - Cross-Site Scripting and falls under the ATT&CK technique T1566.001 - Phishing via Service Provider for initial compromise and lateral movement.
The operational impact of this vulnerability extends beyond simple script execution, as it allows attackers to hijack sessions, steal cookies, redirect users to malicious sites, or perform actions on behalf of visitors. Since the vulnerability affects the public-facing booking interface, any visitor accessing the page becomes a potential victim, making it particularly dangerous for organizations relying on this application for customer scheduling services. The attack vector requires only administrative access to the system, which may be limited in scope but provides significant leverage for malicious actors who gain such privileges.
Mitigation strategies should focus on implementing proper input sanitization and output escaping mechanisms throughout the application's data flow. The fix implemented in version 1.6.0 demonstrates the importance of never trusting user-provided content that will be rendered in public interfaces, requiring all user inputs to be properly escaped or sanitized before storage and rendering. Organizations should also implement strict access controls and regular security audits to prevent unauthorized administrative access, while ensuring all applications are kept up-to-date with security patches. The vulnerability highlights the critical need for defense-in-depth strategies where even trusted administrators cannot bypass core security mechanisms protecting public-facing interfaces from malicious content injection.