CVE 8.2 HIGH

Hi.Events 1.9.0 – Promo Code Max-Usage Bypass via Asynchronous Job Race Condition_CVE-2026-57959

8.2 / 10
HIGH
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Description

Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.

Basic Information

ID CVE-2026-57959
Source VulnCheck
Published Jun 29, 2026 at 17:24

Affected Product

Vendor HiEventsDev
Product Hi.Events
Affected Versions HiEventsDev Hi.Events 0

CWE Classification

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.