{"api_version":"1","generated_at":"2026-07-16T12:10:03+00:00","cve":"CVE-2026-55651","urls":{"html":"https://cve.report/CVE-2026-55651","api":"https://cve.report/api/cve/CVE-2026-55651.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-55651","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-55651"},"summary":{"title":"Easy!Appointments Vulnerable to Appointments Takeover via Excessive Data Exposure","description":"Easy!Appointments is a self hosted appointment scheduler. In version 1.5.2, an Excessive Data Exposure vulnerability in the customers search endpoint allows an authenticated user to obtain appointment hashes belonging to other users.\nUsing these hashes, an attacker can modify or delete appointments of other providers, resulting in an Appointments Takeover. Version 1.6.0 fixes the issue.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-07-14 16:17:00","updated_at":"2026-07-14 16:42:11"},"problem_types":["CWE-200","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"7.1","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-4vmm-5qvc-w5p7","name":"https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-4vmm-5qvc-w5p7","refsource":"134c704f-9b21-4f2e-91b3-4a467353bcc0","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-55651","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55651","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"alextselegidis","product":"easyappointments","version":"affected = 1.5.2","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-55651","options":[{"Exploitation":"poc"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-07-14T15:59:40.381297Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-07-14T16:00:49.009Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"references":[{"tags":["exploit"],"url":"https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-4vmm-5qvc-w5p7"}],"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"easyappointments","vendor":"alextselegidis","versions":[{"status":"affected","version":"= 1.5.2"}]}],"descriptions":[{"lang":"en","value":"Easy!Appointments is a self hosted appointment scheduler. In version 1.5.2, an Excessive Data Exposure vulnerability in the customers search endpoint allows an authenticated user to obtain appointment hashes belonging to other users.\nUsing these hashes, an attacker can modify or delete appointments of other providers, resulting in an Appointments Takeover. Version 1.6.0 fixes the issue."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.1,"baseSeverity":"HIGH","confidentialityImpact":"LOW","integrityImpact":"HIGH","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-200","description":"CWE-200: Exposure of Sensitive Information to an Unauthorized Actor","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-07-14T15:31:51.028Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-4vmm-5qvc-w5p7","tags":["x_refsource_CONFIRM"],"url":"https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-4vmm-5qvc-w5p7"}],"source":{"advisory":"GHSA-4vmm-5qvc-w5p7","discovery":"UNKNOWN"},"title":"Easy!Appointments Vulnerable to Appointments Takeover via Excessive Data Exposure"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-55651","datePublished":"2026-07-14T15:31:51.028Z","dateReserved":"2026-06-16T23:52:12.059Z","dateUpdated":"2026-07-14T16:00:49.009Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-07-14 16:17:00","lastModifiedDate":"2026-07-14 16:42:11","problem_types":["CWE-200","CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-07-14T15:59:40.381297Z","id":"CVE-2026-55651","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"55651","Ordinal":"1","Title":"Easy!Appointments Vulnerable to Appointments Takeover via Excess","CVE":"CVE-2026-55651","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"55651","Ordinal":"1","NoteData":"Easy!Appointments is a self hosted appointment scheduler. In version 1.5.2, an Excessive Data Exposure vulnerability in the customers search endpoint allows an authenticated user to obtain appointment hashes belonging to other users.\nUsing these hashes, an attacker can modify or delete appointments of other providers, resulting in an Appointments Takeover. Version 1.6.0 fixes the issue.","Type":"Description","Title":"Easy!Appointments Vulnerable to Appointments Takeover via Excess"}]}}}