Export limit exceeded: 366256 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.

Search

Search Results (3 CVEs found)

CVE Vendors Products Updated CVSS v3.1
CVE-2026-60119 1 Hieventsdev 1 Hi.events 2026-07-14 5.4 Medium
Hi.Events before 1.11.0 contains a cross-site scripting vulnerability that allows authenticated attackers with event creation or edit permissions to inject arbitrary HTML and JavaScript by embedding a malicious event title containing the </script> sequence, which is not escaped by JSON.stringify() when embedded in inline script tags. Attackers can craft an event title that breaks out of the script context in the application/ld+json structured data block or server-side rehydrated state, causing the payload to execute in the browser of any user who views the public event page, including unauthenticated visitors and authenticated administrators.
CVE-2026-60118 1 Hieventsdev 1 Hi.events 2026-07-14 5.3 Medium
Hi.Events before 1.11.0 contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.
CVE-2026-34455 2 Hi.events, Hieventsdev 2 Hi.events, Hi.events 2026-04-15 8.8 High
Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta.