Cyber Resilience

CVE-2026-57959

HighPublic PoC

Published: 29 June 2026

Published
29 June 2026
Modified
29 June 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 9.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-57959 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

Hi.Events through 1.9.0 contains a promo code validation vulnerability where reservation validates usage count before asynchronous UpdateEventStatisticsJob increments it, allowing attackers to redeem limited promo codes unlimited times. Attackers can sequentially reserve multiple orders with the same restricted promo code,…

more

each reading order_usage_count=0 and passing validation, then complete them all at discounted prices without concurrent requests.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-41779Shared CWE-367
CVE-2021-33097Shared CWE-367
CVE-2024-1563Shared CWE-367
CVE-2025-34027Shared CWE-367
CVE-2025-3599Shared CWE-367
CVE-2022-22220Shared CWE-367
CVE-2024-45560Shared CWE-367
CVE-2023-27323Shared CWE-367
CVE-2026-23554Shared CWE-367
CVE-2023-0778Shared CWE-367

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-367

Timestamps meeting UTC or offset standards help identify TOCTOU issues through precise chronological reconstruction of check/use operations.

References