CVE-2026-45410 | mauriceboe TREK up to 3.0.17 Email Address information exposure (GHSA-3552-3c98-x79r)

CVE-2026-45410 is a timing-based user enumeration vulnerability in TREK up to 3.0.17 where the backend's bcrypt password comparison introduces a ~370 ms delay when a supplied email exists versus ~10 ms when it does not, enabling remote, unauthenticated attackers to distinguish valid accounts; the issue is rated medium (VulDB ~5.2) and fixed in TREK 3.0.18 with no public exploit reported.