Skip to main content

Hi.Events CVE-2026-60118

| EUVDEUVD-2026-43740 MEDIUM
Missing Authorization (CWE-862)
2026-07-14 VulnCheck
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Network-reachable unauthenticated API endpoint with no interaction required; impact is low integrity only - unauthorized ticket purchase with no data disclosure or service disruption.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 14, 2026 - 16:31 vuln.today
Analysis Generated
Jul 14, 2026 - 16:31 vuln.today

DescriptionCVE.org

Hi.Events through v1.10.0-beta contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.

AnalysisAI

Hidden ticket purchase bypass in Hi.Events through v1.10.0-beta allows unauthenticated remote attackers to acquire VIP, invite-only, or discounted tickets withheld from public sale by referencing hidden ticket and price IDs directly in order creation API requests. The server fails to enforce ticket visibility rules at the API layer, relying only on UI-level concealment, and sequential integer ticket IDs allow systematic enumeration from observed visible IDs. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Observe visible ticket IDs on public event checkout
Delivery
Increment IDs to enumerate hidden ticket types
Exploit
Identify hidden VIP or discounted ticket and price IDs
Execution
Craft unauthenticated order creation API request with hidden IDs
Impact
Complete unauthorized ticket purchase

Vulnerability AssessmentAI

Exploitation The target Hi.Events instance must have at least one event configured with hidden tickets (tickets marked hidden in the organizer dashboard). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.9 with AV:N/AC:L/AT:N/PR:N/UI:N reflects a remotely exploitable, unauthenticated, zero-complexity attack - all signals point to trivial automatable exploitation. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker visits a Hi.Events-hosted event page, notes visible ticket IDs embedded in the public checkout UI or API responses, then iterates those integers to probe for adjacent hidden ticket IDs. After identifying a hidden VIP or discounted ticket ID, the attacker directly posts an order creation request to the API referencing the hidden ticket and its price ID without authenticating, successfully completing a purchase at a restricted price. …
Remediation Upgrade Hi.Events to v1.11.0-beta or later, which patches hidden ticket purchase prevention via PR #1259 (commit 9eec95e6176f500b71bf633986243045ca78cefb). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-60118 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy