Platform
python
Component
gramps-web-api
Fixed in
1.6.1
3.11.1
CVE-2026-40258 represents a path traversal vulnerability, also known as a Zip Slip, affecting the Gramps Web API. This flaw allows an authenticated user with owner-level privileges to exploit the media archive import feature by crafting malicious ZIP files. Successful exploitation can lead to arbitrary file writes on the server's filesystem, potentially compromising sensitive data and system integrity. The vulnerability impacts versions 1.6.0 through 3.11.0, but is resolved in version 3.11.1.
The impact of CVE-2026-40258 is severe due to its potential for arbitrary file writes. An attacker could leverage this vulnerability to overwrite critical system files, inject malicious code, or exfiltrate sensitive data stored on the server. Specifically, an attacker could overwrite configuration files, database files, or even binaries, leading to complete system compromise. The ability to write outside the intended temporary directory significantly expands the attack surface. This vulnerability shares similarities with other Zip Slip vulnerabilities, highlighting the importance of proper ZIP file extraction validation. The blast radius extends to any data accessible by the Gramps Web API user, and potentially the entire server if critical system files are overwritten.
CVE-2026-40258 was published on 2026-04-17. Its CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. The vulnerability is currently not listed on KEV (Kernel Exploit Vulnerability) or EPSS (Exploit Prediction Scoring System), suggesting a low to medium probability of near-term exploitation, but the critical severity warrants close monitoring. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it likely that a POC will be developed. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40258 is to upgrade Gramps Web API to version 3.11.1 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict file upload permissions for users with owner-level privileges. Implement strict input validation on ZIP file names and paths before extraction, ensuring that directory traversal sequences (e.g., '../') are rejected. Consider using a WAF (Web Application Firewall) to filter potentially malicious ZIP file uploads. Monitor system logs for suspicious file creation or modification activity. Sigma or YARA rules can be developed to detect malicious ZIP files containing directory traversal sequences. After upgrading, verify the fix by attempting to import a ZIP file containing a directory traversal sequence and confirming that the extraction fails with an appropriate error message.
Update to version 3.11.1 or later to mitigate the path slippage vulnerability. This version validates ZIP entry names against the actual resolved path of the temporary directory before extraction, aborting the import if the path is outside the temporary directory.
Vulnerability analysis and critical alerts directly to your inbox.
It's a critical path traversal (Zip Slip) vulnerability in Gramps Web API allowing authenticated users to write arbitrary files on the server.
If you're running Gramps Web API versions 1.6.0 through 3.11.0, you are potentially affected. Upgrade immediately.
Upgrade to Gramps Web API version 3.11.1 or later. Implement temporary workarounds like input validation and restricted file upload permissions if upgrading isn't immediately possible.
Currently, there are no reports of active exploitation, but the critical severity and ease of exploitation make it a potential target.
Refer to the official Gramps Web API security advisories and the NVD (National Vulnerability Database) entry for CVE-2026-40258.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.