Hi.Events enables users to reserve event tickets and apply promotional codes that reduce the price. The vulnerable release validates the usage count of a promo code before an asynchronous job increments it, allowing an attacker to redeem a limited‑use code an unlimited number of times by submitting sequential reservations that each read the usage count as zero. The key weakness is a race condition (CWE‑367) that permits creating multiple orders with a single discounted code, thereby enabling repeated financial benefit and potential disruption of the platform.

The flaw exists in the Hi.Events platform released by HiEventsDev, specifically version 1.9.0. Any deployment of this release that accepts promotional codes can be exploited; upgrades to newer releases that validate usage after the statistics update address the issue.

The CVSS score of 8.2 indicates high severity, and no EPSS score is currently available, implying limited publicly known exploitation data. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it by making ordinary reservation requests against the web interface; no special privileges are required. The race condition depends on the timing between order validation and the asynchronous statistics job, making the attack feasible in a typical deployment where the job runs on a separate background worker.