CVE-2026-57959 | Hi.Events through 1.9.0 contains a promo code validation vul… | CVSS 5.9 MEDIUM

Description

Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.

Metadata

CVE ID: CVE-2026-57959
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-26 13:59 UTC
Published: 2026-06-29 17:24 UTC
Last updated: 2026-06-29 19:40 UTC
Primary CWE: CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor / Product: HiEventsDev / Hi.Events
Sources: cve.org · NVD

Severity & Metrics

5.9 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
HiEventsDev	Hi.Events	—	0 ≤ 1.9.0

Weakness (CWE)

CWE	Source	Description
CWE-367	cna	Time-of-check Time-of-use (TOCTOU) Race Condition

CVSS scores (2)

Score	Severity	Version	Source	Vector
8.2	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
5.9	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References (2)