Threat Intelligence Database
Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.
Stop chasing alerts. Route them.
Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.
Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)
API access activates after upgrading in Console -> Billing.
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.
Filter Threats
Narrow down the results by type, severity, or affected countries
Threat Intelligence
Click on any threat for detailed analysis and mitigation recommendations
CVE-2026-55651: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in alextselegidis easyappointmentsCVE-2026-55651 0 Easy!Appointments is a self hosted appointment scheduler. In version 1.5.2, an Excessive Data Exposure vulnerability in the customers search endpoint allows an authenticated user to obtain appointment hashes belonging to other users. Using these hashes, an attacker can modify or delete appointments of other providers, resulting in an Appointments Takeover. Version 1.6.0 fixes the issue. Join the discussion | CVE Database V5 | 07/14/2026, 15:31:51 UTC Added: 07/14/2026, 15:48:11 UTC |
CVE-2026-52841: CWE-639: Authorization Bypass Through User-Controlled Key in alextselegidis easyappointmentsCVE-2026-52841 0 Easy!Appointments versions prior to 1.6.0 contain an authorization bypass vulnerability in the Google OAuth integration. The application stores a URL-supplied provider_id in the session without verifying ownership, allowing any logged-in backend user to rebind another provider's Google sync to their own account. This results in the attacker's calendar receiving the peer provider's appointments, including customer names and emails. Version 1.6.0 addresses this issue. Join the discussion | CVE Database V5 | 07/14/2026, 15:27:50 UTC Added: 07/14/2026, 15:48:11 UTC |
CVE-2026-52840: CWE-918: Server-Side Request Forgery (SSRF) in alextselegidis easyappointmentsCVE-2026-52840 0 Easy!Appointments versions prior to 1.6.0 contain a Server-Side Request Forgery (SSRF) vulnerability in the Caldav::connect_to_server function. This function does not validate the scheme or host of the caldav_url parameter before making a Guzzle REPORT request. Authenticated backend users can exploit this to send requests to internal network addresses such as loopback, RFC1918, and link-local hosts. The vulnerability is semi-blind, as some response data is returned in error messages. Version 1.6.0 includes a patch for this issue. Join the discussion | CVE Database V5 | 07/14/2026, 15:23:59 UTC Added: 07/14/2026, 15:48:11 UTC |
CVE-2026-52839: CWE-639: Authorization Bypass Through User-Controlled Key in alextselegidis easyappointmentsCVE-2026-52839 0 Easy!Appointments versions prior to 1.6.0 contain an authorization bypass vulnerability in the appointments management endpoints. Authenticated providers can create or update appointments in other providers' schedules without proper verification of provider ownership. This flaw allows unauthorized injection or reassignment of appointments across provider calendars. The issue is patched in version 1.6.0. Join the discussion | CVE Database V5 | 07/14/2026, 15:21:23 UTC Added: 07/14/2026, 15:48:11 UTC |
CVE-2026-52838: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in alextselegidis easyappointmentsCVE-2026-52838 0 Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the `disable_booking_message` setting via a rich-text editor and later passed directly to the public `booking_message` view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue. Join the discussion | CVE Database V5 | 07/14/2026, 15:07:43 UTC Added: 07/14/2026, 15:48:11 UTC |
CVE-2026-52837: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in alextselegidis easyappointmentsCVE-2026-52837 0 Easy!Appointments is a self hosted appointment scheduler. In versions up to and including 1.5.2, the booking reschedule view at `/index.php/booking/reschedule/{appointment_hash}` (handled by `Booking::index()`) embeds the entire customer record as inline JavaScript (`const vars = {... "customer_data": {...}, ...}`) without authentication and without field whitelisting. Anyone in possession of the 12-character `appointment_hash` — which appears in plain text in reschedule emails, confirmation page URLs, and operator-side calendar links — can read every column of that customer's row in the `ea_users` table. Version 1.6.0 contains a patch. Join the discussion | CVE Database V5 | 07/14/2026, 14:48:26 UTC Added: 07/14/2026, 15:18:25 UTC |
Showing 1 to 6 of 6 results