CVE-2026-34455
Received Received - Intake
SQL Injection in Hi.Events Repository Classes Enables Stacked Queries

Publication date: 2026-04-01

Last updated on: 2026-04-15

Assigner: GitHub, Inc.

Description
Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34455
EUVD
EUVD-2026-18007
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
hi.events hi.events From 0.8.0 (inc) to 1.7.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-34455 is a high-severity SQL Injection vulnerability in the Hi.Events open-source event management platform. The issue occurs because multiple repository classes pass the user-supplied `sort_by` query parameter directly to Eloquent's `orderBy()` method without validating it. Since the application uses PostgreSQL, which supports stacked queries, this lack of validation allows attackers to inject malicious SQL commands.

The root cause is that non-admin repository classes do not validate the `sort_by` parameter against a whitelist of allowed sort fields, even though such a whitelist method (`getAllowedSorts()`) exists and is used in admin endpoints. This flaw enables an authenticated organizer to perform SQL injection by manipulating the `sort_by` parameter.

The vulnerability was fixed by introducing validation methods that check the `sort_by` and `sort_direction` parameters against allowlists defined in domain objects. If invalid values are provided, the system falls back to default sorting parameters, preventing injection attacks.

Impact Analysis

This vulnerability can have serious impacts because it allows an authenticated organizer to execute arbitrary SQL commands on the database via the `sort_by` parameter. Since PostgreSQL supports stacked queries, attackers can run multiple SQL statements in a single query.

Potential impacts include unauthorized data access and exfiltration, such as sensitive personally identifiable information (PII) of attendees, payment data, and promo codes. This could lead to data breaches, loss of confidentiality, and compromise of the event management system's integrity.

A proof of concept demonstrated a time-based blind SQL injection attack that caused a delay in the server response, confirming the ability to execute injected SQL commands.

Detection Guidance

This vulnerability can be detected by testing if the application improperly handles the `sort_by` query parameter in API requests, allowing SQL injection. A proof of concept involves sending a specially crafted request with a SQL payload in the `sort_by` parameter and observing the response delay caused by the injected query.

For example, an authenticated organizer can send a request like:

  • GET /api/events/{id}/attendees?sort_by=id; SELECT pg_sleep(5)--

If the response is delayed by approximately 5 seconds, it indicates successful SQL injection exploitation, confirming the vulnerability.

Mitigation Strategies

The immediate mitigation step is to upgrade the Hi.Events application to version 1.7.1-beta or later, where the vulnerability has been patched.

The patch enforces strict validation of the `sort_by` and `sort_direction` parameters against allowlists defined in domain objects, preventing unsafe inputs from reaching the database query.

If upgrading is not immediately possible, as a temporary measure, restrict access to the affected endpoints to trusted users only, and monitor for suspicious query parameters that include SQL syntax.

Long-term mitigation involves ensuring that all user-supplied inputs used in database queries are validated against allowlists or sanitized properly.

Compliance Impact

The vulnerability allows SQL injection attacks that can lead to unauthorized access and potential exfiltration of sensitive data such as personally identifiable information (PII), payment data, and promo codes stored in the Hi.Events platform.

Such unauthorized data exposure could result in non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal and sensitive information.

Because exploitation requires an authenticated organizer role and can lead to data leakage through stacked queries in PostgreSQL, this vulnerability poses a significant risk to maintaining compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34455. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart