CVE-2026-57959
Received Received - Intake

Promo Code Validation Flaw in Hi.Events

Publication date: 2026-06-29

Last updated on: 2026-06-29

Assigner: VulnCheck

Description
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-29
Last Modified
2026-06-29
Generated
2026-06-29
AI Q&A
2026-06-29
EPSS Evaluated
N/A
NVD
CVE-2026-57959
EUVD
EUVD-2026-40144

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
hi_events hi_events to 1.9.0 (inc)
hi_events hi_events 1.9.0
hi_events hi_events 1.8.0-beta

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a race condition in Hi.Events (version 1.9.0 and below) related to promo code validation. The system checks the usage count of a promo code before an asynchronous job updates that count. Because the usage count is not incremented immediately, attackers can sequentially reserve multiple orders using the same limited promo code, each time seeing the usage count as zero and passing validation. This allows them to redeem limited promo codes an unlimited number of times without needing to make concurrent requests.

Impact Analysis

The vulnerability allows attackers to bypass the maximum usage limit of promo codes, enabling unlimited redemptions of codes that are supposed to be limited or single-use. This can lead to significant financial losses for event organizers or businesses using Hi.Events, as attackers can repeatedly obtain discounted prices by exploiting the race condition.

Detection Guidance

This vulnerability involves a race condition in the promo code validation process where the usage count is checked before it is asynchronously updated. Detection would involve monitoring for multiple sequential reservations using the same limited promo code that bypass the usage limit.

Since the issue arises from the asynchronous update of usage counts, detection could include analyzing logs for repeated promo code redemptions in a short time frame without corresponding increments in usage count.

Specific commands are not provided in the available resources, but general approaches could include querying the database or application logs for promo code usage patterns, for example:

  • Check database entries for promo code usage counts and compare them with the number of completed orders using that promo code.
  • Use log analysis tools or commands like `grep` or `awk` on server logs to identify multiple reservations with the same promo code occurring sequentially.
  • Monitor application metrics or audit trails for discrepancies between promo code usage counts and actual redemptions.
Mitigation Strategies

Immediate mitigation steps include modifying the promo code validation and usage count update process to prevent the race condition.

  • Re-validate the promo code usage count during order completion, not just at reservation time.
  • Increment the promo code usage count synchronously at the time of reservation within the same transaction, rather than asynchronously.

These changes ensure that the usage count accurately reflects the number of redemptions and prevents attackers from exploiting the asynchronous update delay.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57959. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart