Back to overview

CVE-2026-60118

MEDIUM Exploitation: PoC
5.3
CVSS 3.1
Description
Hi.Events before 1.11.0 contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.

Metadata

CVE ID
CVE-2026-60118
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-08 13:27 UTC
Published
2026-07-14 15:42 UTC
Last updated
2026-07-15 15:42 UTC
Primary CWE
CWE-862
Missing Authorization
Vendor / Product
HiEventsDev / Hi.Events
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SSVC — CISA Coordinator
Exploitation
PoC
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
HiEventsDev Hi.Events 0 < 1.11.0
Weakness (CWE)
CWESourceDescription
CWE-862 cna Missing Authorization
CVSS scores (2)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Back to overview