Stats Digest Feeds
โ† Back to all CVEs

CVE-2026-60119

MEDIUM NVD
CVSS Score 5.4
Severity MEDIUM
Published Jul 14, 2026
Vendor unknown

Description

Hi.Events through v1.10.0-beta contains a cross-site scripting vulnerability that allows authenticated attackers with event creation or edit permissions to inject arbitrary HTML and JavaScript by embedding a malicious event title containing the </script> sequence, which is not escaped by JSON.stringify() when embedded in inline script tags. Attackers can craft an event title that breaks out of the script context in the application/ld+json structured data block or server-side rehydrated state, causing the payload to execute in the browser of any user who views the public event page, including unauthenticated visitors and authenticated administrators.

References