Loading market data...
← Back to CVE feed

CVE-2026-57960

MEDIUM CVSS 6.5 View on NVD ↗

Description

Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N
Published: Jun 29, 2026 18:16 UTC Modified: Jun 30, 2026 15:16 UTC