{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40184", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T20:59:17.619Z", "datePublished": "2026-04-10T19:39:32.442Z", "dateUpdated": "2026-04-13T16:12:51.487Z"}, "containers": {"cna": {"title": "Unauthenticated Access to Uploaded Files in TREK", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-wxx3-84fc-mrx2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-wxx3-84fc-mrx2"}, {"name": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179", "tags": ["x_refsource_MISC"], "url": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179"}, {"name": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2"}], "affected": [{"vendor": "mauriceboe", "product": "TREK", "versions": [{"version": "< 2.7.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:39:32.442Z"}, "descriptions": [{"lang": "en", "value": "TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2."}], "source": {"advisory": "GHSA-wxx3-84fc-mrx2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T16:12:41.757685Z", "id": "CVE-2026-40184", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:12:51.487Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40184", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T16:12:41.757685Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T16:12:47.106Z"}}], "cna": {"title": "Unauthenticated Access to Uploaded Files in TREK", "source": {"advisory": "GHSA-wxx3-84fc-mrx2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "mauriceboe", "product": "TREK", "versions": [{"status": "affected", "version": "< 2.7.2"}]}], "references": [{"url": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-wxx3-84fc-mrx2", "name": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-wxx3-84fc-mrx2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179", "name": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2", "name": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-10T19:39:32.442Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40184", "state": "PUBLISHED", "dateUpdated": "2026-04-13T16:12:51.487Z", "dateReserved": "2026-04-09T20:59:17.619Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-10T19:39:32.442Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mauriceboe:trek:*:*:*:*:*:*:*:*", "matchCriteriaId": "0AC1A5B5-BB04-4ED4-ABC2-D87262232EFF", "versionEndIncluding": "2.7.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "TREK is a collaborative travel planner. Prior to 2.7.2, TREK served uploaded photos without requiring authentication. This vulnerability is fixed in 2.7.2."}], "id": "CVE-2026-40184", "lastModified": "2026-04-21T19:24:27.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-10T20:16:23.417", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/mauriceboe/TREK/commit/16277a3811a00c2983f7486fee83c112986cb179"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/mauriceboe/TREK/releases/tag/v2.7.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/mauriceboe/TREK/security/advisories/GHSA-wxx3-84fc-mrx2"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.7.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "TREK", "source": "cna", "vendor": "mauriceboe"}, "product": "trek", "vendor": "mauriceboe"}], "analysis": {"en": {"generated_at": "2026-04-10T21:23:55.287816+00:00", "value": {"mitigation_remediation": ["Upgrade TreK to version 2.7.2 or later, which restores authentication for uploaded files.", "Verify that all file endpoints now require valid user credentials.", "If an upgrade is not immediately possible, restrict public access to the upload directory using web server rules or application configuration until a patch is applied."], "summary": {"action": "Patch", "impact": "Unauthorized File Access"}, "threat_synthesis": {"affected_systems": "The affected product is TREK by Mauriceboe. Versions released prior to 2.7.2 are vulnerable. Users running any build before the patch have cells of plain access to uploaded media.", "description_and_impact": "TREK, a collaborative travel planning application, exposed uploaded photographs to any user before version 2.7.2. The application failed to enforce authentication when serving these files, permitting an attacker to retrieve any photo that had been previously uploaded. This flaw results in a confidentiality breach, allowing adversaries to view or steal private media without permission. The weakness aligns with CWE-306, which involves missing or ineffective authentication controls.", "risk_and_exploitability": "The CVSS score of 3.7 indicates low severity from a technical perspective. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely exploited. The likely attack vector is remote and unauthenticated: a malicious actor can perform a simple HTTP request to the photo URL and obtain the content. Because the flaw removes authentication entirely, the risk to confidentiality is high for any user contributing photos to the platform, while the overall likelihood of large\u2011scale impact is limited by the low CVSS rating."}}}}, "created": "2026-04-13T12:42:42.283967+00:00", "updated": "2026-04-13T12:57:30.180593+00:00", "vendors": ["mauriceboe", "mauriceboe$PRODUCT$trek"]}