CVE-2026-57959
Hi.Events 1.9.0 - Promo Code Max-Usage Bypass via Asynchronous Job Race Condition
Description
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.
INFO
Published Date :
June 29, 2026, 5:24 p.m.
Last Modified :
June 29, 2026, 5:24 p.m.
Remotely Exploit :
Yes !
Source :
VulnCheck
Affected Products
The following products are affected by CVE-2026-57959
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | MEDIUM | 83251b91-4cc7-4094-a5c7-464a1b83ea10 | ||||
| CVSS 3.1 | MEDIUM | MITRE-CVE | ||||
| CVSS 4.0 | HIGH | 83251b91-4cc7-4094-a5c7-464a1b83ea10 |
Solution
- Synchronize promo code usage count updates.
- Ensure atomic operations for validation and increment.
- Update the application to version 1.9.0 or later.
- Apply vendor patches if available.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-57959 vulnerability anywhere in the article.