CVE-2026-40185

HIGH 7.1

Missing Authorization on Immich Trip Photo Routes in TREK

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

7th

TREK is a collaborative travel planner. Prior to 2.7.2, TREK was missing authorization checks on the Immich trip photo management routes. This vulnerability is fixed in 2.7.2.

CWE	CWE-862
Vendor	mauriceboe
Product	trek
Published	Apr 10, 2026
Last Updated	Apr 15, 2026

Stay Ahead of the Next One

Get instant alerts for mauriceboe trek

Be the first to know when new high vulnerabilities affecting mauriceboe trek are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

mauriceboe / TREK

< 2.7.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/mauriceboe/TREK/security/advisories/GHSA-pcr3-6647-jh72 github.com: https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179 github.com: https://github.com/mauriceboe/TREK/releases/tag/v2.7.2