CVE-2026-57960

MEDIUM 6.5

Hi.Events 1.9.0 - Unauthenticated Attendee PII Exposure via Check-in List short_id

CVSS Score

6.5

EPSS Score

0.0%

EPSS Percentile

0th

Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.

CWE	CWE-359
Vendor	hieventsdev
Product	hi.events
Published	Jun 29, 2026

Stay Ahead of the Next One

Get instant alerts for hieventsdev hi.events

Be the first to know when new medium vulnerabilities affecting hieventsdev hi.events are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

HiEventsDev / Hi.Events

0 ≤ 1.9.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/HiEventsDev/Hi.Events/issues/1224 github.com: https://github.com/HiEventsDev/Hi.Events/pull/1229 vulncheck.com: https://www.vulncheck.com/advisories/hi-events-unauthenticated-attendee-pii-exposure-via-check-in-list-short-id

Credits

George Chen