Skip to main content

Hi.Events EUVDEUVD-2026-40144

| CVE-2026-57959 HIGH
Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
2026-06-29 disclosure@vulncheck.com GHSA-m75j-c5ff-9wh8
8.2
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.3 MEDIUM

Unauthenticated network checkout flow (PR:N/AV:N); description shows reliable sequential exploitation so AC:L not AC:H; impact is limited integrity abuse of discount limits (I:L), no C or A.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 29, 2026 - 18:35 vuln.today

DescriptionCVE.org

Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.

AnalysisAI

Promo code usage-limit bypass in Hi.Events through version 1.9.0 lets remote attackers redeem restricted/limited promo codes an unlimited number of times by exploiting a time-of-check/time-of-use gap between synchronous reservation validation and the asynchronous UpdateEventStatisticsJob that increments the usage counter. Because validation reads order_usage_count before the background job updates it, an attacker can sequentially reserve and complete many discounted orders - no concurrent/racing requests are even required. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain a valid restricted promo code
Delivery
Submit sequential reservation requests reusing it
Exploit
Each read sees stale usage_count=0 and passes
Execution
Complete all orders at discount before async job increments
Impact
Unlimited discounted purchases / revenue loss

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target Hi.Events instance (≤1.9.0) offers a promo code with a usage restriction (limited total uses or per-customer cap) on a reachable, network-exposed event/checkout page, and that promo code enforcement runs through the standard flow where the UpdateEventStatisticsJob increments order_usage_count asynchronously (queued/deferred processing). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:H/AT:N/PR:N/UI:N, VI:H, all else N) yields 8.2, driven almost entirely by an integrity impact on the discount/usage-limit enforcement; there is no confidentiality or availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker obtains a valid single-use or limited promo code (e.g., a one-per-customer or capped-quantity discount) for a public Hi.Events ticketing page. They submit several reservation requests one after another with the same code; each reservation reads usage count 0 before the background statistics job runs, so all pass validation, and the attacker checks each order out at the discounted price. …
Remediation No vendor-released patch identified at time of analysis - neither a fixed version nor a tagged release/commit is present in the provided references (only a GitHub issue and the VulnCheck advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all deployed Hi.Events instances and current promotional codes with usage limits; review transaction logs for anomalous redemption patterns (multiple orders per user/IP using same restricted code). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40144 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy