🔐 CVE Alert

CVE-2026-60119

MEDIUM 5.4

Hi.Events < 1.11.0 XSS via Event Title JSON.stringify Injection

CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th

Hi.Events before 1.11.0 contains a cross-site scripting vulnerability that allows authenticated attackers with event creation or edit permissions to inject arbitrary HTML and JavaScript by embedding a malicious event title containing the </script> sequence, which is not escaped by JSON.stringify() when embedded in inline script tags. Attackers can craft an event title that breaks out of the script context in the application/ld+json structured data block or server-side rehydrated state, causing the payload to execute in the browser of any user who views the public event page, including unauthenticated visitors and authenticated administrators.

CWE CWE-862
Vendor hieventsdev
Product hi.events
Published Jul 14, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for hieventsdev hi.events

Be the first to know when new medium vulnerabilities affecting hieventsdev hi.events are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Affected Versions

HiEventsDev / Hi.Events
0 < 1.11.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
github.com: https://github.com/HiEventsDev/Hi.Events/releases/tag/v.1.11.0-beta github.com: https://github.com/HiEventsDev/Hi.Events/security/advisories/GHSA-2ggx-79g6-2jmj github.com: https://github.com/HiEventsDev/Hi.Events/pull/1260 github.com: https://github.com/HiEventsDev/Hi.Events/commit/1e36b070771801ed7113255ef7b3a7f271a2a794 vulncheck.com: https://www.vulncheck.com/advisories/hi-events-beta-xss-via-event-title-json-stringify-injection

Credits

Adam Młynarczyk