GHSA-5v9v-qj76-f3m4HighCVSS 6.5
Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control,...
🔗 CVE IDs covered (1)
📋 Description
Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.
🔗 References (5)
- https://nvd.nist.gov/vuln/detail/CVE-2026-57960
- https://github.com/HiEventsDev/Hi.Events/issues/1224
- https://github.com/HiEventsDev/Hi.Events/pull/1229
- https://www.vulncheck.com/advisories/hi-events-unauthenticated-attendee-pii-exposure-via-check-in-list-short-id
- https://github.com/advisories/GHSA-5v9v-qj76-f3m4