CVE-2026-57960
MEDIUMDescription
Hi.Events through 1.9.0 public check-in list endpoints use short_id as sole access control, allowing unauthenticated access to retrieve full attendee lists including emails and personal information. Attackers with knowledge of the short_id can call GET /api/public/check-in-lists/{short_id}/attendees to read attendee data and create or delete check-in records without authentication.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
References
Frequently Asked Questions
What is CVE-2026-57960? +
How severe is CVE-2026-57960? +
How do I check if I'm vulnerable to CVE-2026-57960? +
Related Vulnerabilities
gpp-burgerportaal is a Dutch government citizen portal application. In versions before 2.0.3, 3.0.2, and 4.0.1, the name and email address …
An information disclosure vulnerability in M-Files Server before versions 25.12.15491.7, 25.8 LTS SR3, 25.2 LTS SR3 and 24.8 LTS SR5 …
The DynamicPageList3 extension is a reporting tool for MediaWiki, listing category members and intersections with various formats and details. Several …
In Gemini iOS, when a user shared a snippet of a conversation, it would share the entire conversation via a …
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions …
A user with physical access to a smartphone can bypass authentication mechanism of Kidsview mobile application and grant himself full …