High severity7.1NVD Advisory· Published Apr 10, 2026· Updated Apr 21, 2026

CVE-2026-40185

Description

TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.

Affected products

Mauriceboe/Trek
cpe:2.3:a:mauriceboe:trek:*:*:*:*:*:node.js:*:*
Range: <=2.7.1

Patches

16277a3811a0

https://github.com/mauriceboe/TREKvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179nvdPatch
github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72nvdVendor Advisory
github.com/mauriceboe/TREK/releases/tag/v2.7.2nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.461
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000