CVE-2026-40184

LOW

Unauthenticated Access to Uploaded Files in TREK

Title source: cna

Description

TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2.

References (3)

Scores

CVSS v3 3.7
EPSS 0.0006
EPSS Percentile 19.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-306
Status published
Products (2)
mauriceboe/trek < 2.7.1
mauriceboe/TREK < 2.7.2
Published Apr 10, 2026
Tracked Since Apr 11, 2026