Skip to main content

Hi Events

2 CVEs product

Monthly

CVE-2026-60119 MEDIUM PATCH This Month

Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.

Authentication Bypass XSS Hi Events
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-60118 MEDIUM PATCH This Month

Hidden ticket purchase bypass in Hi.Events through v1.10.0-beta allows unauthenticated remote attackers to acquire VIP, invite-only, or discounted tickets withheld from public sale by referencing hidden ticket and price IDs directly in order creation API requests. The server fails to enforce ticket visibility rules at the API layer, relying only on UI-level concealment, and sequential integer ticket IDs allow systematic enumeration from observed visible IDs. No public exploit or active exploitation (KEV) has been identified at time of analysis, but the unauthenticated network vector and low complexity make opportunistic exploitation straightforward following disclosure.

Authentication Bypass Hi Events
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Stored cross-site scripting in Hi.Events through v1.10.0-beta allows authenticated event organizers to inject arbitrary JavaScript into public event pages by embedding the raw </script> sequence in an event title, which the application's JSON.stringify() serialization fails to encode safely when placed in inline script contexts. The payload executes in the browser of every visitor to the affected event page - including unauthenticated attendees and authenticated administrators - enabling session hijacking and privilege escalation from a low-privileged creator account. No public exploit has been identified at time of analysis; a vendor-released patch is available in v1.11.0-beta.

Authentication Bypass XSS Hi Events
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Hidden ticket purchase bypass in Hi.Events through v1.10.0-beta allows unauthenticated remote attackers to acquire VIP, invite-only, or discounted tickets withheld from public sale by referencing hidden ticket and price IDs directly in order creation API requests. The server fails to enforce ticket visibility rules at the API layer, relying only on UI-level concealment, and sequential integer ticket IDs allow systematic enumeration from observed visible IDs. No public exploit or active exploitation (KEV) has been identified at time of analysis, but the unauthenticated network vector and low complexity make opportunistic exploitation straightforward following disclosure.

Authentication Bypass Hi Events
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy