Description
Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta.
Published: 2026-04-01
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to unauthorized data manipulation
Action: Apply patch
AI Analysis

Impact

Hi.Events versions from 0.8.0-beta.1 up to just before 1.7.1-beta allow attackers to inject raw SQL through the unvalidated sort_by query parameter. The vulnerable code passes the supplied value directly to Eloquent's orderBy() method, and because the application uses PostgreSQL, which supports stacked queries, the injected payload can be executed as additional SQL statements. This flaw can enable attackers to read, modify, or delete data from the database and potentially exfiltrate sensitive information or disrupt operations.

Affected Systems

The vulnerability affects the Hi.Events event management platform developed by HiEventsDev. Affected releases include all versions starting with 0.8.0-beta.1 up to, but not including, 1.7.1-beta. Users running any of these builds are potentially exposed.

Risk and Exploitability

The flaw carries a CVSS score of 8.7, indicating high severity. While EPSS information is not available, the fact that the exploitation vector is an HTTP query parameter makes the attack unitable from a web context, likely without authentication. The vulnerability is not listed in the KEV catalog, but the high severity and ability to run arbitrary SQL on a PostgreSQL database make it a significant risk to confidentiality, integrity, and availability of affected deployments.

Generated by OpenCVE AI on April 2, 2026 at 03:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Hi.Events to version 1.7.1-beta or later to apply the vendor patch
  • If an upgrade is not immediately possible, limit the sort_by parameter to a whitelist of allowed column names and escape or validate all input before passing it to the database
  • Deploy web application firewall rules to detect and block suspicious SQL injection patterns on the sort_by endpoint
  • Regularly review database logs for unexpected queries and monitor for potential data exfiltration activity

Generated by OpenCVE AI on April 2, 2026 at 03:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Hi.events
Hi.events hi.events
CPEs cpe:2.3:a:hi.events:hi.events:*:*:*:*:*:*:*:*
Vendors & Products Hi.events
Hi.events hi.events
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Hieventsdev
Hieventsdev hi.events
Vendors & Products Hieventsdev
Hieventsdev hi.events
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta.
Title Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository Classes
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hi.events Hi.events
Hieventsdev Hi.events
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:24:31.776Z

Reserved: 2026-03-27T18:18:14.895Z

Link: CVE-2026-34455

cve-icon Vulnrichment

Updated: 2026-04-02T15:14:52.558Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T20:16:25.957

Modified: 2026-04-15T14:33:27.223

Link: CVE-2026-34455

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:16:48Z

Weaknesses