{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40258", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T17:31:45.787Z", "datePublished": "2026-04-17T21:12:54.226Z", "dateUpdated": "2026-04-17T21:12:54.226Z"}, "containers": {"cna": {"title": "Gramps Web API has Zip Slip Path Traversal in Media Archive Import", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/gramps-project/gramps-web-api/security/advisories/GHSA-m5gr-86j6-99jp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/gramps-project/gramps-web-api/security/advisories/GHSA-m5gr-86j6-99jp"}, {"name": "https://github.com/gramps-project/gramps-web-api/commit/3ed4342711e3ec849552df09b1fe2fbf2ca5c29a", "tags": ["x_refsource_MISC"], "url": "https://github.com/gramps-project/gramps-web-api/commit/3ed4342711e3ec849552df09b1fe2fbf2ca5c29a"}, {"name": "https://github.com/gramps-project/gramps-web-api/releases/tag/v3.11.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/gramps-project/gramps-web-api/releases/tag/v3.11.1"}], "affected": [{"vendor": "gramps-project", "product": "gramps-web-api", "versions": [{"version": ">= 1.6.0, < 3.11.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-17T21:12:54.226Z"}, "descriptions": [{"lang": "en", "value": "The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. Startig in version 3.11.1, ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import."}], "source": {"advisory": "GHSA-m5gr-86j6-99jp", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. Startig in version 3.11.1, ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import."}], "id": "CVE-2026-40258", "lastModified": "2026-04-17T22:16:32.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-17T22:16:32.067", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/gramps-project/gramps-web-api/commit/3ed4342711e3ec849552df09b1fe2fbf2ca5c29a"}, {"source": "security-advisories@github.com", "url": "https://github.com/gramps-project/gramps-web-api/releases/tag/v3.11.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/gramps-project/gramps-web-api/security/advisories/GHSA-m5gr-86j6-99jp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T08:54:15.688716+00:00", "value": {"mitigation_remediation": ["Upgrade to Gramps Web API 3.11.1 or newer where ZIP entries are validated against the temporary directory\u2019s resolved real path", "If an upgrade is not immediately feasible, disable or restrict the media archive import functionality and ensure the temporary directory is confined to a non\u2011privileged sub\u2011filesystem or is mounted with restrictive permissions", "Review owner\u2011level accounts and revoke those unnecessary, reducing the number of users who can trigger the import operation"], "summary": {"action": "Immediate Patch", "impact": "Path Traversal via Zip Slip allowing arbitrary file writes"}, "threat_synthesis": {"affected_systems": "The Gramps Web API project (gramps\u2011project:gramps\u2011web\u2011api) is affected in releases from 1.6.0 up to and including 3.11.0. Version 3.11.1 adds validation that rejects any ZIP entry whose resolved real path falls outside the designated temporary directory, aborting the import.", "description_and_impact": "A crafted ZIP file used during media archive import can contain filenames with directory\u2011traversal sequences such as \"../../etc/passwd\". When extracted, these entries resolve to paths outside the temporary extraction directory, permitting the attacker to create or overwrite any file accessible to the server process. This leads to compromise of confidentiality, integrity, or availability of the system, classified under CWE\u201122.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.1, indicating very high risk. No EPSS data is available, and the issue is not included in CISA KEV. Exploitation requires an authenticated user with owner\u2011level privileges. The attacker would need to upload a malicious ZIP via the media archive import endpoint; upon extraction, the server writes files outside its intended directory, potentially gaining unprivileged or elevated system access if the server\u2019s file\u2011system permissions allow it. The lack of a public exploit does not diminish the severity, as the path traversal flaw can be triggered without special conditions beyond ownership rights."}}}}, "created": "2026-04-18T09:00:05.897161+00:00", "updated": "2026-04-18T09:00:05.897181+00:00", "vendors": []}