CVE-2026-60118

Source
https://cve.org/CVERecord?id=CVE-2026-60118
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-60118.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-60118
Aliases
  • GHSA-2h54-cprv-vj74
Published
2026-07-14T15:42:31.865Z
Modified
2026-07-17T03:41:54.921857141Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Hi.Events < 1.11.0 Hidden Ticket Enumeration via Order Creation Endpoint
Details

Hi.Events before 1.11.0 contains a missing server-side visibility enforcement vulnerability that allows unauthenticated attackers to purchase hidden tickets by referencing hidden product and price IDs in order creation requests without authorization checks. Attackers can enumerate sequential hidden ticket IDs from visible ones and submit order creation requests referencing those IDs to purchase VIP, invite-only, or discounted tickets intentionally withheld from public sale.

Database specific
{
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/60xxx/CVE-2026-60118.json",
    "cna_assigner": "VulnCheck",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "1.11.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        },
        {
            "extracted_events": [
                {
                    "fixed": "1.11.0"
                }
            ],
            "source": "CPE_FIELD"
        },
        {
            "extracted_events": [
                {
                    "introduced": "Hi.Events"
                },
                {
                    "fixed": "1.11.0"
                }
            ],
            "source": "DESCRIPTION"
        }
    ]
}
References

Affected packages

Git / github.com/hieventsdev/hi.events

Affected ranges

Type
GIT
Repo
https://github.com/hieventsdev/hi.events
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

v.*
v.1.10.0-beta
v0.*
v0.1.0-alpha.1
v0.1.0-alpha.10
v0.1.0-alpha.11
v0.1.0-alpha.12
v0.1.0-alpha.13
v0.1.0-alpha.14
v0.1.0-alpha.15
v0.1.0-alpha.16
v0.1.0-alpha.17
v0.1.0-alpha.2
v0.1.0-alpha.3
v0.1.0-alpha.4
v0.1.0-alpha.5
v0.1.0-alpha.6
v0.1.0-alpha.8
v0.1.0-alpha.9
v0.2.0-alpha.1
v0.2.0-alpha.2
v0.2.0-alpha.3
v0.3.0-alpha.1
v0.3.0-alpha.2
v0.3.0-alpha.3
v0.4.0-alpha.1
v0.4.0-alpha.2
v0.5.0-alpha.1
v0.5.0-alpha.2
v0.6.0-alpha.1
v0.6.0-alpha.2
v0.6.0-alpha.3
v0.7.0-alpha.1
v0.7.0-alpha.2
v0.7.0-alpha.3
v0.7.0-beta.1
v0.7.0-beta.2
v0.7.0-beta.3
v0.7.0-beta.4
v0.7.0-beta.5
v0.7.0-beta.6
v0.8.0-beta.1
v0.8.0-beta.2
v0.8.0-beta.3
v0.8.0-beta.4
v0.8.0-beta.5
v0.8.0-beta.6
v0.8.0-beta.7
v0.8.0-beta.8
v0.8.0-beta.9
v1.*
v1.0.0-alpha.10
v1.0.0-alpha.11
v1.0.0-alpha.12
v1.0.0-alpha.13
v1.0.0-alpha.14
v1.0.0-alpha.15
v1.0.0-alpha.16
v1.0.0-alpha.17
v1.0.0-alpha.5
v1.0.0-alpha.6
v1.0.0-alpha.7
v1.0.0-alpha.8
v1.0.0-alpha.9
v1.0.0-beta.1
v1.0.0-beta.2
v1.0.0-beta.3
v1.0.0-beta.4
v1.0.0-beta.5
v1.0.0-beta.6
v1.1.0-alpha.1
v1.1.0-alpha.2
v1.1.0-beta.1
v1.1.0-beta.2
v1.2.0-beta.1
v1.3.0-beta.1
v1.4.0-beta.1
v1.5.0-beta.1
v1.5.1-beta.1
v1.6.0-beta.1
v1.7.0-beta
v1.7.1-beta
v1.8.0-beta
v1.9.0-beta

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-60118.json"