Hi.Events before 1.11.0 contains a cross-site scripting vulnerability that allows authenticated attackers with event creation or edit permissions to inject arbitrary HTML and JavaScript by embedding a malicious event title containing the </script> sequence, which is not escaped by JSON.stringify() when embedded in inline script tags. Attackers can craft an event title that breaks out of the script context in the application/ld+json structured data block or server-side rehydrated state, causing the payload to execute in the browser of any user who views the public event page, including unauthenticated visitors and authenticated administrators.
{
"cwe_ids": [
"CWE-862"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/60xxx/CVE-2026-60119.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "1.11.0"
}
],
"source": "AFFECTED_FIELD"
},
{
"extracted_events": [
{
"fixed": "1.11.0"
}
],
"source": "CPE_FIELD"
},
{
"extracted_events": [
{
"introduced": "Hi.Events"
},
{
"fixed": "1.11.0"
}
],
"source": "DESCRIPTION"
}
],
"cna_assigner": "VulnCheck"
}