Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.
Metrics
Affected Vendors & Products
References
History
Tue, 30 Jun 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Mon, 29 Jun 2026 18:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication. | |
| Title | Hi.Events 1.9.0 - Unauthenticated Attendee PII Exposure via Check-in List short_id | |
| First Time appeared |
Hi.events
Hi.events hi.events |
|
| Weaknesses | CWE-359 | |
| CPEs | cpe:2.3:a:hi.events:hi.events:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Hi.events
Hi.events hi.events |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published: 2026-06-29T17:24:27.032Z
Updated: 2026-06-30T14:35:41.944Z
Reserved: 2026-06-26T13:59:33.048Z
Link: CVE-2026-57960
Updated: 2026-06-30T14:33:31.465Z
No data.
No data.