Description
Hi.Events through v1.10.0-beta contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Tue, 14 Jul 2026 18:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hieventsdev
Hieventsdev hi.events |
|
| Vendors & Products |
Hieventsdev
Hieventsdev hi.events |
Tue, 14 Jul 2026 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Hi.Events through v1.10.0-beta contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale. | |
| Title | Hi.Events v1.10.0-beta Hidden Ticket Enumeration via Order Creation Endpoint | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-14T15:42:31.865Z
Reserved: 2026-07-08T13:27:53.031Z
Link: CVE-2026-60118
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-14T17:45:03Z
Weaknesses
-
CWE-862
Missing Authorization