Unauthenticated Access Vulnerability in Hi.Events Software by Hi.Events Dev
CVE-2026-57960

8.3HIGH

Key Information:

Vendor

Hieventsdev

Status
Hi.events
Vendor
CVE Published:
29 June 2026

What is CVE-2026-57960?

The Hi.Events application allows access to sensitive attendee information through its public check-in list endpoints. By relying solely on the 'short_id' for access control, the system permits unauthenticated users to retrieve full attendee lists, which may include personal information like emails. Attackers who possess the 'short_id' can exploit GET requests to the '/api/public/check-in-lists/{short_id}/attendees' endpoint, potentially leading to unauthorized data retrieval and the ability to create or delete check-in records without any form of authentication.

Affected Version(s)

Hi.Events 0 <= 1.9.0

References

https://github.com/HiEventsDev/Hi.Events/issues/1224
technical-description
https://github.com/HiEventsDev/Hi.Events/pull/1229
issue-tracking
https://www.vulncheck.com/advisories/hi-events-unauthenti...
third-party-advisory

CVSS V4

Score:
8.3
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.