Cyber Resilience

CVE-2026-23622

HighPublic PoC

Published: 15 January 2026

Published
15 January 2026
Modified
28 January 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 10.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-23622 is a high-severity CSRF (CWE-352) vulnerability in Easyappointments Easy\!Appointments. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23622 is a cross-site request forgery (CSRF) vulnerability affecting Easy!Appointments, a self-hosted appointment scheduler, in versions 1.5.2 and earlier. The issue resides in the `application/core/EA_Security.php::csrf_verify()` function, which only enforces CSRF protection for POST requests and exits early for non-POST methods. Multiple application endpoints perform state-changing operations while accepting parameters via GET requests or `$_REQUEST`, enabling CSRF attacks through crafted GET requests. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H) and is associated with CWE-352.

An unauthenticated attacker on the network can exploit this by tricking an authenticated victim—such as an administrator—into visiting a malicious webpage or clicking a crafted link that triggers a GET request to a vulnerable endpoint. Successful exploitation allows the attacker to create new admin accounts, modify existing admin email addresses or passwords, or achieve full admin account takeover, potentially granting complete control over the application.

The primary reference is the GitHub security advisory at https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj, which details the issue and likely includes guidance on patches or mitigations for affected deployments. The vulnerability was published on 2026-01-15.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker…

more

can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

CSRF in public-facing web app directly enables remote exploitation (T1190) via malicious link delivery requiring user interaction (T1204.001) to perform unauthorized state changes.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-70031Shared CWE-352
CVE-2025-23902Shared CWE-352
CVE-2026-34384Shared CWE-352
CVE-2025-23880Shared CWE-352
CVE-2025-30550Shared CWE-352
CVE-2024-53829Shared CWE-352
CVE-2025-23805Shared CWE-352
CVE-2025-59541Shared CWE-352
CVE-2025-25147Shared CWE-352
CVE-2024-13753Shared CWE-352

Affected Assets

easyappointments
easy\!appointments
≤ 1.5.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires protection of communications session authenticity, directly mitigating CSRF attacks that forge state-changing requests within valid authenticated sessions.

prevent

SI-10 enforces validation of all information inputs, including CSRF tokens and request methods, preventing unauthorized state changes via crafted GET requests.

prevent

IA-11 mandates re-authentication for privileged actions like admin account creation or modification, blocking CSRF exploits that rely on existing sessions without further verification.

References