Hi.Events before 1.11.0 contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.
History

Wed, 15 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 14 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Hi.events
Hi.events hi.events
CPEs cpe:2.3:a:hi.events:hi.events:*:*:*:*:*:*:*:*
Vendors & Products Hi.events
Hi.events hi.events

Tue, 14 Jul 2026 20:00:00 +0000

Type Values Removed Values Added
Description Hi.Events through v1.10.0-beta contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale. Hi.Events before 1.11.0 contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.
Title Hi.Events v1.10.0-beta Hidden Ticket Enumeration via Order Creation Endpoint Hi.Events < 1.11.0 Hidden Ticket Enumeration via Order Creation Endpoint

Tue, 14 Jul 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Hieventsdev
Hieventsdev hi.events
Vendors & Products Hieventsdev
Hieventsdev hi.events

Tue, 14 Jul 2026 16:15:00 +0000

Type Values Removed Values Added
Description Hi.Events through v1.10.0-beta contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.
Title Hi.Events v1.10.0-beta Hidden Ticket Enumeration via Order Creation Endpoint
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-07-14T15:42:31.865Z

Updated: 2026-07-15T15:42:42.390Z

Reserved: 2026-07-08T13:27:53.031Z

Link: CVE-2026-60118

cve-icon Vulnrichment

Updated: 2026-07-15T15:42:30.881Z

cve-icon NVD

No data.

cve-icon Redhat

No data.