Critical Path Traversal in Gramps Web API Puts Data at Risk

The National Vulnerability Database has disclosed CVE-2026-40258, a critical path traversal vulnerability (CVSS 9.1) affecting Gramps Web API versions 1.6.0 through 3.11.0. This ‘Zip Slip’ flaw in the media archive import feature allows an authenticated user with owner-level privileges to craft a malicious ZIP file. By embedding directory-traversal filenames, an attacker can write arbitrary files outside the intended temporary extraction directory on the server’s local filesystem.

This isn’t just a theoretical vulnerability; it’s a direct path to server compromise. An attacker could overwrite critical system files, inject web shells, or drop executables, leading to full system control. The National Vulnerability Database notes that the fix, implemented in version 3.11.1, validates ZIP entry names against the resolved real path, aborting imports where paths fall outside the temporary directory. This is a solid mitigation, but it means older, unpatched versions are sitting ducks.

For defenders, the implications are clear: a high-privilege user, even if legitimate but compromised, can completely subvert the server. This is a classic example of how seemingly innocuous features like file uploads or imports become critical attack vectors when input validation is insufficient. The attacker’s calculus here is simple: leverage a trusted, high-privilege account to gain arbitrary file write, then escalate to full system compromise. It’s a low-effort, high-reward scenario.