PT-2026-53678 · Hieventsdev · Hi.Events
George Chen
·
Published
2026-06-29
·
Updated
2026-06-29
·
CVE-2026-57960
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N |
Hi.Events through 1.9.0 public check-in list endpoints use short id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short id can call GET /api/public/check-in-lists/{short id}/attendees to read attendee data and create or delete check-in records without authentication.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Hi.Events