gramps-webapi: Zip Slip Path Traversal in Media Archive Import

The impact of CVE-2026-40258 is severe due to its potential for arbitrary file writes. An attacker could leverage this vulnerability to overwrite critical system files, inject malicious code, or exfiltrate sensitive data stored on the server. Specifically, an attacker could overwrite configuration files, database files, or even binaries, leading to complete system compromise. The ability to write outside the intended temporary directory significantly expands the attack surface. This vulnerability shares similarities with other Zip Slip vulnerabilities, highlighting the importance of proper ZIP file extraction validation. The blast radius extends to any data accessible by the Gramps Web API user, and potentially the entire server if critical system files are overwritten.

1. आरक्षित2026-04-10
2. प्रकाशित2026-04-17
3. संशोधित2026-04-20
4. EPSS अद्यतन2026-04-25

The primary mitigation for CVE-2026-40258 is to upgrade Gramps Web API to version 3.11.1 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict file upload permissions for users with owner-level privileges. Implement strict input validation on ZIP file names and paths before extraction, ensuring that directory traversal sequences (e.g., '../') are rejected. Consider using a WAF (Web Application Firewall) to filter potentially malicious ZIP file uploads. Monitor system logs for suspicious file creation or modification activity. Sigma or YARA rules can be developed to detect malicious ZIP files containing directory traversal sequences. After upgrading, verify the fix by attempting to import a ZIP file containing a directory traversal sequence and confirming that the extraction fails with an appropriate error message.