Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta.
AnalysisAI
SQL injection in Hi.Events open-source event management platform (versions 0.8.0-beta.1 through 1.7.0-beta) allows remote unauthenticated attackers to execute arbitrary SQL queries via unsanitized sort_by parameters passed to Eloquent's orderBy() method. The PostgreSQL backend supports stacked queries, enabling multi-statement injection. While CVSS 8.7 reflects high confidentiality impact and no authentication requirement, no public exploit code or CISA KEV listing exists at time of analysis. Vendor-released patch available in version 1.7.1-beta.
Technical ContextAI
Hi.Events uses Laravel's Eloquent ORM with PostgreSQL as the database backend. The vulnerability stems from CWE-89 (SQL Injection) where multiple repository classes accept user-controlled sort_by query parameters from HTTP requests and pass them directly to Eloquent's orderBy() method without input validation or parameterization. Unlike MySQL's default configuration, PostgreSQL allows stacked queries (semicolon-separated statements), which escalates the impact from data exfiltration to potential command chaining. The flaw exists in the event management and ticketing workflow components where sorting functionality is exposed to unauthenticated users through the web interface. The commit reference (01e1aee28d7) indicates the fix implements input validation against a whitelist of allowed column names before passing values to the ORM layer.
RemediationAI
Upgrade to Hi.Events version 1.7.1-beta immediately, available at https://github.com/HiEventsDev/Hi.Events/releases/tag/v1.7.1-beta. The upstream fix in commit 01e1aee28d7 and pull request 1128 (https://github.com/HiEventsDev/Hi.Events/pull/1128) implements input validation for sort_by parameters against an allowed column whitelist before passing to Eloquent orderBy(). Organizations unable to upgrade immediately should implement web application firewall (WAF) rules to block requests containing SQL metacharacters (semicolons, quotes, comment sequences) in sort_by and similar sorting parameters. Network-level access controls restricting Hi.Events administrative interfaces to trusted IP ranges provide defense-in-depth. Review PostgreSQL logs for suspicious multi-statement queries or unexpected ORDER BY clauses as indicators of exploitation attempts. Audit any custom repository classes for similar unvalidated user input passed to ORM methods.
More in PostgreSQL
View allPostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re
Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow
The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t
A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve
## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin
Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot
Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al
A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18007