CVE-2026-57960
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk26th percentile — higher than 26% of all known CVEs
Summary
A vulnerability in Hi.Events through version 1.9.0 allows unauthenticated attackers to access full attendee lists, including emails and personal information, via public check-in list endpoints. By knowing the short_id, an attacker can read attendee data and create or delete check-in records without authentication.
Risk Assessment
The risk involves unauthorized disclosure of sensitive personal data of attendees and potential manipulation of check-in records, compromising privacy and data integrity.
Recommendation
It is recommended to immediately update Hi.Events to the latest version that fixes this vulnerability and to implement additional authentication mechanisms for public endpoints.
Original NVD description (English source)
Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.

