Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
No advisories yet.
Tue, 14 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Hieventsdev
Hieventsdev hi.events |
|
| Vendors & Products |
Hieventsdev
Hieventsdev hi.events |
|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 16:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Hi.Events through v1.10.0-beta contains a cross-site scripting vulnerability that allows authenticated attackers with event creation or edit permissions to inject arbitrary HTML and JavaScript by embedding a malicious event title containing the </script> sequence, which is not escaped by JSON.stringify() when embedded in inline script tags. Attackers can craft an event title that breaks out of the script context in the application/ld+json structured data block or server-side rehydrated state, causing the payload to execute in the browser of any user who views the public event page, including unauthenticated visitors and authenticated administrators. | |
| Title | Hi.Events v1.10.0-beta XSS via Event Title JSON.stringify Injection | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-14T19:56:32.311Z
Reserved: 2026-07-08T13:27:53.031Z
Link: CVE-2026-60119
Updated: 2026-07-14T17:28:40.835Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-14T18:15:14Z