Back to overview

CVE-2026-52840

LOW
2.7
CVSS 3.1
Description
Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Caldav::connect_to_server` at `application/controllers/Caldav.php:60` hands the request's `caldav_url` to a Guzzle `REPORT` call without scheme or host validation. A logged-in backend user (admin, provider, or secretary) reaches loopback, RFC1918, and link-local hosts on the deployment's network. The Guzzle exception path returns the upstream status code plus ~120 bytes of response body in the JSON `message` field (`Caldav.php:74-78`), so the SSRF is semi-blind. Version 1.6.0 contains a patch.

Metadata

CVE ID
CVE-2026-52840
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-08 18:41 UTC
Published
2026-07-14 15:23 UTC
Last updated
2026-07-14 15:23 UTC
Primary CWE
CWE-918
CWE-918: Server-Side Request Forgery (SSRF)
Vendor / Product
alextselegidis / easyappointments
Sources
cve.org  ·  NVD

Severity & Metrics

2.7 LOW CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
Affected products (1)
VendorProductPlatformVersions
alextselegidis easyappointments < 1.6.0
Weakness (CWE)
CWESourceDescription
CWE-918 cna CWE-918: Server-Side Request Forgery (SSRF)
CVSS scores (1)
ScoreSeverityVersionSourceVector
2.7 LOW 3.1 cna CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
References (2)
Back to overview