Server-Side Visibility Enforcement Flaw in Hi.Events by HiEventsDev
CVE-2026-60118
6.9MEDIUM
What is CVE-2026-60118?
A critical flaw in Hi.Events versions prior to 1.11.0-beta allows unauthenticated attackers to bypass authorization checks and purchase tickets that are intended to be hidden from the public. By referencing concealed product and price IDs during the order creation process, attackers can enumerate and acquire VIP, invite-only, or discounted tickets. This vulnerability poses a significant risk as it enables the exploitation of hidden ticket IDs sequentially derived from accessible ones.
Affected Version(s)
Hi.Events 0
