Server-Side Visibility Enforcement Flaw in Hi.Events by HiEventsDev
CVE-2026-60118

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-60118?

A critical flaw in Hi.Events versions prior to 1.11.0-beta allows unauthenticated attackers to bypass authorization checks and purchase tickets that are intended to be hidden from the public. By referencing concealed product and price IDs during the order creation process, attackers can enumerate and acquire VIP, invite-only, or discounted tickets. This vulnerability poses a significant risk as it enables the exploitation of hidden ticket IDs sequentially derived from accessible ones.

Affected Version(s)

Hi.Events 0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Adam Młynarczyk
.