Path Traversal Vulnerability in Gramps Web API by Gramps
CVE-2026-40258

9.1CRITICAL

Key Information:

Vendor

Gramps-project

Status
Gramps-web-api
Vendor
CVE Published:
17 April 2026

What is CVE-2026-40258?

The Gramps Web API, a Python REST API for genealogical research, suffers from a path traversal vulnerability in its media archive import feature. This vulnerability allows an authenticated user with owner-level privileges to exploit the system by crafting a malicious ZIP file containing directory-traversal filenames. Such manipulation could lead to writing arbitrary files outside the designated temporary extraction directory on the server's local filesystem, potentially compromising its security. Notably, starting from version 3.11.1, the API includes validation of ZIP entry names against the resolved real path, enhancing its protection against this type of attack.

Affected Version(s)

gramps-web-api >= 1.6.0, < 3.11.1

References

https://github.com/gramps-project/gramps-web-api/security...
x_refsource_CONFIRM
https://github.com/gramps-project/gramps-web-api/commit/3...
x_refsource_MISC
https://github.com/gramps-project/gramps-web-api/releases...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.