Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.

Threat Intelligence Database

Comprehensive database of the latest cyber threats affecting organizations worldwide. Filter and search to find specific threat intelligence relevant to your organization.

Pro Console Lifetime

Stop chasing alerts. Route them.

Start free, then upgrade once to turn Radar into an automated delivery engine for your security stack.

Custom feeds / Automations: email, Slack, webhooks, SIEM/MISP / API access (baseline limits)

View Plans & Pricing

API access activates after upgrading in Console -> Billing.

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now

Filter Threats

Narrow down the results by type, severity, or affected countries

Search threats by title, CVE ID, or description. Maximum 100 characters.

Threat Intelligence

Click on any threat for detailed analysis and mitigation recommendations

CVE-2026-55651: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in alextselegidis easyappointmentsCVE-2026-55651
0

Easy!Appointments is a self hosted appointment scheduler. In version 1.5.2, an Excessive Data Exposure vulnerability in the customers search endpoint allows an authenticated user to obtain appointment hashes belonging to other users. Using these hashes, an attacker can modify or delete appointments of other providers, resulting in an Appointments Takeover. Version 1.6.0 fixes the issue.

Join the discussion
CVE-2026-52841: CWE-639: Authorization Bypass Through User-Controlled Key in alextselegidis easyappointmentsCVE-2026-52841
0

Easy!Appointments versions prior to 1.6.0 contain an authorization bypass vulnerability in the Google OAuth integration. The application stores a URL-supplied provider_id in the session without verifying ownership, allowing any logged-in backend user to rebind another provider's Google sync to their own account. This results in the attacker's calendar receiving the peer provider's appointments, including customer names and emails. Version 1.6.0 addresses this issue.

Join the discussion
CVE-2026-52840: CWE-918: Server-Side Request Forgery (SSRF) in alextselegidis easyappointmentsCVE-2026-52840
0

Easy!Appointments versions prior to 1.6.0 contain a Server-Side Request Forgery (SSRF) vulnerability in the Caldav::connect_to_server function. This function does not validate the scheme or host of the caldav_url parameter before making a Guzzle REPORT request. Authenticated backend users can exploit this to send requests to internal network addresses such as loopback, RFC1918, and link-local hosts. The vulnerability is semi-blind, as some response data is returned in error messages. Version 1.6.0 includes a patch for this issue.

Join the discussion
CVE-2026-52839: CWE-639: Authorization Bypass Through User-Controlled Key in alextselegidis easyappointmentsCVE-2026-52839
0

Easy!Appointments versions prior to 1.6.0 contain an authorization bypass vulnerability in the appointments management endpoints. Authenticated providers can create or update appointments in other providers' schedules without proper verification of provider ownership. This flaw allows unauthorized injection or reassignment of appointments across provider calendars. The issue is patched in version 1.6.0.

Join the discussion
CVE-2026-52838: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in alextselegidis easyappointmentsCVE-2026-52838
0

Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 allow administrators to define a custom "booking disabled" message through the booking settings page. That value is stored in the `disable_booking_message` setting via a rich-text editor and later passed directly to the public `booking_message` view without escaping or sanitization. An authenticated administrator can store HTML or JavaScript in this field, enable disabled-booking mode, and trigger stored XSS in every unauthenticated visitor who opens the public booking page. Version 1.6.0 fixes the issue.

Join the discussion
CVE-2026-52837: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in alextselegidis easyappointmentsCVE-2026-52837
0

Easy!Appointments is a self hosted appointment scheduler. In versions up to and including 1.5.2, the booking reschedule view at `/index.php/booking/reschedule/{appointment_hash}` (handled by `Booking::index()`) embeds the entire customer record as inline JavaScript (`const vars = {... "customer_data": {...}, ...}`) without authentication and without field whitelisting. Anyone in possession of the 12-character `appointment_hash` — which appears in plain text in reschedule emails, confirmation page URLs, and operator-side calendar links — can read every column of that customer's row in the `ea_users` table. Version 1.6.0 contains a patch.

Join the discussion

Showing 1 to 6 of 6 results

Page 1 of 1
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses