CVE-2026-40258 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 20, 2026
Gramps Web API - Path Traversal
Overview
Gramps Web API 1.6.0 through 3.11.0 contains a path traversal vulnerability caused by improper validation of ZIP entry names in the media archive import feature, letting authenticated owner-level users write arbitrary files outside the intended directory.
Severity & Score
Impact
Authenticated owner-level users can write arbitrary files outside intended directories, potentially leading to system compromise or data tampering.
Mitigation
Update to version 3.11.1 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-40258 - Critical (9.1) The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privile... š https://www.thehackerwire.com/vulnerability/CVE-2026-40258/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
šØ CVE-2026-40258: CRITICAL path traversal in gramps-web-api (1.6.0-3.11.0). Owner-level users can write files outside intended dirs via crafted ZIPs. Upgrade to 3.11.1+ to mitigate! https://radar.offseq.com/threat/cve-2026-40258-cwe-22-improper-limitation-of-a-pat-00f841f8 #OffSeq #CVE202640258 #PathTraversal #Infosec
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40258
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- path_traversal
- Status
- unconfirmed
- EPSS
- 5.1%
- Social Posts
- 2
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H