CVE-2026-40258
Gramps Project · Gramps Web API
A path traversal vulnerability (Zip Slip) in the Gramps Web API media archive import feature allows authenticated owners to write arbitrary files to the server filesystem.
Executive summary
An authenticated path traversal vulnerability in Gramps Web API versions 1.6.0 through 3.11.0 poses a critical risk of arbitrary file write and potential remote code execution.
Vulnerability
The vulnerability exists in the media archive import feature, where insufficient validation of ZIP entry paths allows an authenticated user with owner-level privileges to perform directory traversal. This permits the writing of files outside the intended temporary extraction directory.
Business impact
The ability to write arbitrary files to the server filesystem can lead to full system compromise if an attacker overwrites sensitive configuration files or places executable scripts in accessible directories. Given the CVSS score of 9.1, this vulnerability represents a severe threat to data integrity and system availability. Unauthorized file manipulation could result in significant operational disruption and loss of confidential genealogical data.
Remediation
Immediate Action: Upgrade the Gramps Web API to version 3.11.1 or later, which implements strict path validation for ZIP archives.
Proactive Monitoring: Review application and system logs for unusual file creation events or attempts to access directories outside the designated temporary storage path.
Compensating Controls: Restrict the permissions of the service account running the Web API to the minimum necessary and employ filesystem monitoring tools to detect unauthorized file writes.
Exploitation status
Public Exploit Available: Not specified
Analyst recommendation
Organizations utilizing the Gramps Web API must prioritize updating to version 3.11.1 immediately to remediate this critical path traversal risk. Failure to apply this update leaves the underlying server susceptible to arbitrary file modification by authenticated users.