Cross-Site Scripting Vulnerability in Hi.Events Product from Hi.Events Dev
CVE-2026-60119

5.1MEDIUM

Key Information:

Status
Vendor
CVE Published:
14 July 2026

What is CVE-2026-60119?

Hi.Events version v1.10.0-beta is vulnerable to cross-site scripting (XSS) through malicious event titles. Authenticated users with event creation or editing permissions can inject arbitrary HTML and JavaScript. This is possible due to the failure to properly escape specific sequences in the application's JSON.stringify() method, allowing crafted event titles to execute in the browsers of any user accessing the public event page, including both unauthenticated visitors and authenticated administrators.

Affected Version(s)

Hi.Events 0

References

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Adam Młynarczyk
.