The vulnerability lies in Hi.Events version 1.9.0 public check‑in list endpoints which use a short identifier as the sole access control. An attacker possessing or able to guess the short_id can send a GET request to /api/public/check‑in‑lists/{short_id}/attendees and obtain a full, unfiltered list of attendees, including email addresses and other personal data. Because authentication checks are omitted, the flaw allows full read access to sensitive PII as well as the ability to create or delete check‑in records. This represents a clear confidentiality breach of attendee information. The weakness is a form of information exposure (CWE‑359).

The affected product is Hi.Events, version 1.9.0, developed by HiEventsDev. No other versions are listed as impacted in the available data.

The CVSS score of 8.3 signals a high severity risk. The EPSS score is not available, so exploit probability cannot be quantified, but the flaw is publicly documented and no mitigation has been applied, indicating that an attacker who knows a short_id could exploit it at any time. The vulnerability is not listed in CISA KEV, yet the lack of authentication makes it likely that an attacker can obtain PII from the public endpoint. The attack path requires only knowledge of the short_id, which could be discovered through enumeration or leaked from other sources. Once accessed, the attacker can read all attendee details and manipulate check‑in entries, potentially facilitating further social engineering or phishing attacks.