CVE-2026-57959

Sažetak

Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.

Reference

https://github.com/HiEventsDev/Hi.Events/issues/1223
https://www.vulncheck.com/advisories/hi-events-promo-code-max-usage-bypass-via-asynchronous-job-race-condition

CVSS

Base:	5.9
Impact:	3.6
Exploitability:	2.2

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
NONE	HIGH	NONE

CVSS vektor

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

Zadnje važnije ažuriranje

29-06-2026 - 20:17

Objavljeno

29-06-2026 - 18:16