CVE-2026-40258

Gramps Project · Gramps Web API

A path traversal vulnerability (Zip Slip) in the Gramps Web API media archive import feature allows authenticated owners to write arbitrary files to the server filesystem.

Executive summary

An authenticated path traversal vulnerability in Gramps Web API versions 1.6.0 through 3.11.0 poses a critical risk of arbitrary file write and potential remote code execution.

Vulnerability

The vulnerability exists in the media archive import feature, where insufficient validation of ZIP entry paths allows an authenticated user with owner-level privileges to perform directory traversal. This permits the writing of files outside the intended temporary extraction directory.

Business impact

The ability to write arbitrary files to the server filesystem can lead to full system compromise if an attacker overwrites sensitive configuration files or places executable scripts in accessible directories. Given the CVSS score of 9.1, this vulnerability represents a severe threat to data integrity and system availability. Unauthorized file manipulation could result in significant operational disruption and loss of confidential genealogical data.

Remediation

Immediate Action: Upgrade the Gramps Web API to version 3.11.1 or later, which implements strict path validation for ZIP archives.

Proactive Monitoring: Review application and system logs for unusual file creation events or attempts to access directories outside the designated temporary storage path.

Compensating Controls: Restrict the permissions of the service account running the Web API to the minimum necessary and employ filesystem monitoring tools to detect unauthorized file writes.

Exploitation status

Public Exploit Available: Not specified

Analyst recommendation

Organizations utilizing the Gramps Web API must prioritize updating to version 3.11.1 immediately to remediate this critical path traversal risk. Failure to apply this update leaves the underlying server susceptible to arbitrary file modification by authenticated users.