{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34455", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T18:18:14.895Z", "datePublished": "2026-04-01T19:56:34.653Z", "dateUpdated": "2026-04-02T16:24:31.776Z"}, "containers": {"cna": {"title": "Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository Classes", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/HiEventsDev/Hi.Events/security/advisories/GHSA-2qcp-24fh-fx6p", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/HiEventsDev/Hi.Events/security/advisories/GHSA-2qcp-24fh-fx6p"}, {"name": "https://github.com/HiEventsDev/Hi.Events/pull/1128", "tags": ["x_refsource_MISC"], "url": "https://github.com/HiEventsDev/Hi.Events/pull/1128"}, {"name": "https://github.com/HiEventsDev/Hi.Events/commit/01e1aee28d7249f235fdcca8e3a34e88214dcde9", "tags": ["x_refsource_MISC"], "url": "https://github.com/HiEventsDev/Hi.Events/commit/01e1aee28d7249f235fdcca8e3a34e88214dcde9"}, {"name": "https://github.com/HiEventsDev/Hi.Events/releases/tag/v1.7.1-beta", "tags": ["x_refsource_MISC"], "url": "https://github.com/HiEventsDev/Hi.Events/releases/tag/v1.7.1-beta"}], "affected": [{"vendor": "HiEventsDev", "product": "Hi.Events", "versions": [{"version": ">= 0.8.0-beta.1, < 1.7.1-beta", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:56:34.653Z"}, "descriptions": [{"lang": "en", "value": "Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta."}], "source": {"advisory": "GHSA-2qcp-24fh-fx6p", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/HiEventsDev/Hi.Events/security/advisories/GHSA-2qcp-24fh-fx6p", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:14:35.734365Z", "id": "CVE-2026-34455", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:24:31.776Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Hi.Events: SQL Injection via Unvalidated sort_by Query Parameter in Multiple Repository Classes", "source": {"advisory": "GHSA-2qcp-24fh-fx6p", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "HiEventsDev", "product": "Hi.Events", "versions": [{"status": "affected", "version": ">= 0.8.0-beta.1, < 1.7.1-beta"}]}], "references": [{"url": "https://github.com/HiEventsDev/Hi.Events/security/advisories/GHSA-2qcp-24fh-fx6p", "name": "https://github.com/HiEventsDev/Hi.Events/security/advisories/GHSA-2qcp-24fh-fx6p", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/HiEventsDev/Hi.Events/pull/1128", "name": "https://github.com/HiEventsDev/Hi.Events/pull/1128", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/HiEventsDev/Hi.Events/commit/01e1aee28d7249f235fdcca8e3a34e88214dcde9", "name": "https://github.com/HiEventsDev/Hi.Events/commit/01e1aee28d7249f235fdcca8e3a34e88214dcde9", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/HiEventsDev/Hi.Events/releases/tag/v1.7.1-beta", "name": "https://github.com/HiEventsDev/Hi.Events/releases/tag/v1.7.1-beta", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-01T19:56:34.653Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34455", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-02T15:14:35.734365Z"}}}], "references": [{"url": "https://github.com/HiEventsDev/Hi.Events/security/advisories/GHSA-2qcp-24fh-fx6p", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-02T15:14:52.558Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-34455", "state": "PUBLISHED", "dateUpdated": "2026-04-01T19:56:34.653Z", "dateReserved": "2026-03-27T18:18:14.895Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-01T19:56:34.653Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hi.events:hi.events:*:*:*:*:*:*:*:*", "matchCriteriaId": "3F6A034A-8B43-4209-90FD-754F10A31EC1", "versionEndExcluding": "1.7.1", "versionStartIncluding": "0.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Hi.Events is an open-source event management and ticket selling platform. From version 0.8.0-beta.1 to before version 1.7.1-beta, multiple repository classes pass the user-supplied sort_by query parameter directly to Eloquent's orderBy() without validation, enabling SQL injection. The application uses PostgreSQL which supports stacked queries. This issue has been patched in version 1.7.1-beta."}], "id": "CVE-2026-34455", "lastModified": "2026-04-15T14:33:27.223", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-01T20:16:25.957", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/HiEventsDev/Hi.Events/commit/01e1aee28d7249f235fdcca8e3a34e88214dcde9"}, {"source": "security-advisories@github.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/HiEventsDev/Hi.Events/pull/1128"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/HiEventsDev/Hi.Events/releases/tag/v1.7.1-beta"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/HiEventsDev/Hi.Events/security/advisories/GHSA-2qcp-24fh-fx6p"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/HiEventsDev/Hi.Events/security/advisories/GHSA-2qcp-24fh-fx6p"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0.8.0-beta.1,1.7.1-beta)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Hi.Events", "source": "cna", "vendor": "HiEventsDev"}, "product": "hi.events", "vendor": "hieventsdev"}], "analysis": {"en": {"generated_at": "2026-04-02T03:44:29.996746+00:00", "value": {"mitigation_remediation": ["Update Hi.Events to version 1.7.1-beta or later to apply the vendor patch", "If an upgrade is not immediately possible, limit the sort_by parameter to a whitelist of allowed column names and escape or validate all input before passing it to the database", "Deploy web application firewall rules to detect and block suspicious SQL injection patterns on the sort_by endpoint", "Regularly review database logs for unexpected queries and monitor for potential data exfiltration activity"], "summary": {"action": "Apply patch", "impact": "SQL Injection leading to unauthorized data manipulation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Hi.Events event management platform developed by HiEventsDev. Affected releases include all versions starting with 0.8.0-beta.1 up to, but not including, 1.7.1-beta. Users running any of these builds are potentially exposed.", "description_and_impact": "Hi.Events versions from 0.8.0-beta.1 up to just before 1.7.1-beta allow attackers to inject raw SQL through the unvalidated sort_by query parameter. The vulnerable code passes the supplied value directly to Eloquent's orderBy() method, and because the application uses PostgreSQL, which supports stacked queries, the injected payload can be executed as additional SQL statements. This flaw can enable attackers to read, modify, or delete data from the database and potentially exfiltrate sensitive information or disrupt operations.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.7, indicating high severity. While EPSS information is not available, the fact that the exploitation vector is an HTTP query parameter makes the attack unitable from a web context, likely without authentication. The vulnerability is not listed in the KEV catalog, but the high severity and ability to run arbitrary SQL on a PostgreSQL database make it a significant risk to confidentiality, integrity, and availability of affected deployments."}}}}, "created": "2026-04-02T07:47:55.037960+00:00", "updated": "2026-04-02T20:16:48.186814+00:00", "vendors": ["hieventsdev", "hieventsdev$PRODUCT$hi.events"]}