Platform
python
Component
gramps-web-api
Opgelost in
1.6.1
3.11.1
CVE-2026-40258 represents a path traversal vulnerability, also known as a Zip Slip, affecting the Gramps Web API. This flaw allows an authenticated user with owner-level privileges to exploit the media archive import feature by crafting malicious ZIP files. Successful exploitation can lead to arbitrary file writes on the server's filesystem, potentially compromising sensitive data and system integrity. The vulnerability impacts versions 1.6.0 through 3.11.0, but is resolved in version 3.11.1.
The impact of CVE-2026-40258 is severe due to its potential for arbitrary file writes. An attacker could leverage this vulnerability to overwrite critical system files, inject malicious code, or exfiltrate sensitive data stored on the server. Specifically, an attacker could overwrite configuration files, database files, or even binaries, leading to complete system compromise. The ability to write outside the intended temporary directory significantly expands the attack surface. This vulnerability shares similarities with other Zip Slip vulnerabilities, highlighting the importance of proper ZIP file extraction validation. The blast radius extends to any data accessible by the Gramps Web API user, and potentially the entire server if critical system files are overwritten.
CVE-2026-40258 was published on 2026-04-17. Its CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. The vulnerability is currently not listed on KEV (Kernel Exploit Vulnerability) or EPSS (Exploit Prediction Scoring System), suggesting a low to medium probability of near-term exploitation, but the critical severity warrants close monitoring. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it likely that a POC will be developed. Monitor security advisories and vulnerability databases for updates.
Exploit Status
EPSS
0.07% (21% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-40258 is to upgrade Gramps Web API to version 3.11.1 or later, which contains the fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Restrict file upload permissions for users with owner-level privileges. Implement strict input validation on ZIP file names and paths before extraction, ensuring that directory traversal sequences (e.g., '../') are rejected. Consider using a WAF (Web Application Firewall) to filter potentially malicious ZIP file uploads. Monitor system logs for suspicious file creation or modification activity. Sigma or YARA rules can be developed to detect malicious ZIP files containing directory traversal sequences. After upgrading, verify the fix by attempting to import a ZIP file containing a directory traversal sequence and confirming that the extraction fails with an appropriate error message.
Actualice a la versión 3.11.1 o posterior para mitigar la vulnerabilidad de deslizamiento de ruta. Esta versión valida los nombres de las entradas ZIP contra la ruta real resuelta del directorio temporal antes de la extracción, abortando la importación si la ruta está fuera del directorio temporal.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
It's a critical path traversal (Zip Slip) vulnerability in Gramps Web API allowing authenticated users to write arbitrary files on the server.
If you're running Gramps Web API versions 1.6.0 through 3.11.0, you are potentially affected. Upgrade immediately.
Upgrade to Gramps Web API version 3.11.1 or later. Implement temporary workarounds like input validation and restricted file upload permissions if upgrading isn't immediately possible.
Currently, there are no reports of active exploitation, but the critical severity and ease of exploitation make it a potential target.
Refer to the official Gramps Web API security advisories and the NVD (National Vulnerability Database) entry for CVE-2026-40258.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je requirements.txt-bestand en we vertellen je direct of je getroffen bent.