CVE-2026-23622: alextselegidis/easyappointments is Vulnerable to CSRF Protection Bypass
application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim’s browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover
References
- github.com/advisories/GHSA-54v4-4685-vwrj
- github.com/alextselegidis/easyappointments
- github.com/alextselegidis/easyappointments/blob/41c9b93a5a2c185a914f204412324d8980943fd5/application/core/EA_Security.php
- github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj
- nvd.nist.gov/vuln/detail/CVE-2026-23622
Code Behaviors & Features
Detect and mitigate CVE-2026-23622 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →