Plattform
php
Komponente
trek
Behoben in
2.7.3
CVE-2026-40184 is a security vulnerability affecting the TREK collaborative travel planner. This issue allows unauthorized access to uploaded photos, potentially exposing sensitive travel plans and personal data. The vulnerability impacts versions 1.0.0 through 2.7.2 and is resolved in version 2.7.2.
The primary impact of CVE-2026-40184 is the unauthorized disclosure of user-uploaded photos. Attackers could potentially gain access to travel itineraries, personal images, and other sensitive data shared within the TREK platform. While the CVSS score is LOW, the potential for data exposure and privacy violations should not be underestimated, especially if the photos contain personally identifiable information (PII). This vulnerability highlights the importance of proper authentication and authorization controls for file uploads.
This vulnerability was publicly disclosed on 2026-04-10. There are currently no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The low CVSS score suggests a relatively low probability of exploitation, but proactive patching is still recommended.
Organizations and individuals using TREK for collaborative travel planning, particularly those relying on the platform to store sensitive travel information or personal photos, are at risk. Shared hosting environments where multiple TREK instances reside are also potentially vulnerable, as a compromise of one instance could expose photos from others.
• generic web:
curl -I https://your-trek-instance.com/uploads/photo.jpgIf the response returns a 200 OK status without requiring authentication, the vulnerability may be present. • generic web:
grep -r 'uploads/photo.jpg' /var/log/apache2/access.logLook for access attempts to the photo upload directory from unauthorized IP addresses.
disclosure
Exploit-Status
EPSS
0.06% (19% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40184 is to upgrade TREK to version 2.7.2 or later. If an immediate upgrade is not feasible, consider implementing a temporary workaround by restricting access to the photo upload directory through web server configuration (e.g., .htaccess for Apache). Ensure that file uploads are only accessible to authenticated users. Review and strengthen authentication mechanisms within the application. After upgrading, confirm the fix by attempting to access uploaded photos without logging in; access should be denied.
Aktualisieren Sie TREK auf Version 2.7.2 oder höher, um unauthentifizierten Zugriff auf hochgeladene Dateien zu verhindern. Dieses Update behebt die Vulnerabilität, indem es eine Authentifizierung für den Zugriff auf hochgeladene Fotos erfordert.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40184 is a vulnerability in TREK versions 1.0.0 through 2.7.2 that allows unauthorized access to uploaded photos, potentially exposing sensitive travel data.
If you are using TREK version 1.0.0 through 2.7.2, you are potentially affected by this vulnerability. Upgrade to 2.7.2 to mitigate the risk.
Upgrade TREK to version 2.7.2 or later. As a temporary workaround, restrict access to the photo storage directory through web server configuration.
There are currently no known active exploits for CVE-2026-40184, but the ease of access to the files means it could be exploited opportunistically.
Refer to the TREK project's official website or security announcements for the advisory related to CVE-2026-40184.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.