CVE-2026-23622
Published: 15 January 2026
Summary
CVE-2026-23622 is a high-severity CSRF (CWE-352) vulnerability in Easyappointments Easy\!Appointments. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-23622 is a cross-site request forgery (CSRF) vulnerability affecting Easy!Appointments, a self-hosted appointment scheduler, in versions 1.5.2 and earlier. The issue resides in the `application/core/EA_Security.php::csrf_verify()` function, which only enforces CSRF protection for POST requests and exits early for non-POST methods. Multiple application endpoints perform state-changing operations while accepting parameters via GET requests or `$_REQUEST`, enabling CSRF attacks through crafted GET requests. The vulnerability is rated 8.8 on the CVSS 3.1 scale (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H) and is associated with CWE-352.
An unauthenticated attacker on the network can exploit this by tricking an authenticated victim—such as an administrator—into visiting a malicious webpage or clicking a crafted link that triggers a GET request to a vulnerable endpoint. Successful exploitation allows the attacker to create new admin accounts, modify existing admin email addresses or passwords, or achieve full admin account takeover, potentially granting complete control over the application.
The primary reference is the GitHub security advisory at https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj, which details the issue and likely includes guidance on patches or mitigations for affected deployments. The vulnerability was published on 2026-01-15.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2736
Vulnerability details
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker…
more
can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF in public-facing web app directly enables remote exploitation (T1190) via malicious link delivery requiring user interaction (T1204.001) to perform unauthorized state changes.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SC-23 requires protection of communications session authenticity, directly mitigating CSRF attacks that forge state-changing requests within valid authenticated sessions.
SI-10 enforces validation of all information inputs, including CSRF tokens and request methods, preventing unauthorized state changes via crafted GET requests.
IA-11 mandates re-authentication for privileged actions like admin account creation or modification, blocking CSRF exploits that rely on existing sessions without further verification.