CVE-2026-40185

EUVD-2026-21587
TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.1 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 10%
Affected Products (NVD)
VendorProductVersion
mauriceboetrek
𝑥
≤ 2.7.1
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179
https://github.com/mauriceboe/TREK/releases/tag/v2.7.2
https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72