CVE-2026-57959
MediumCVSS 5.9Summary
A vulnerability in Hi.Events up to version 1.9.0 allows unlimited use of limited promo codes. The validation checks the usage count before an asynchronous job updates it, enabling sequential reservations with the same code, each seeing count=0.
Risk Assessment
The organization may suffer financial losses due to unlimited discount code usage, leading to unauthorized discounts and reduced revenue.
Recommendation
Update Hi.Events to the latest version that fixes the synchronization between validation and usage count update for promo codes.
Original NVD description (English source)
Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code, each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.

