CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-57959

mediumCVSS 5.9covered by 1 sourcefirst seen 2026-06-29
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.

⚡ Watch CVE-2026-57959

Get an email if CVE-2026-57959 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-57959

CVE.org record

Embed the live status

CVE-2026-57959 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-57959 status](https://www.csirts.com/badge/CVE-2026-57959)](https://www.csirts.com/cve/CVE-2026-57959)