Description
The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. Startig in version 3.11.1, ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import.
Published: 2026-04-17
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Path Traversal via Zip Slip allowing arbitrary file writes
Action: Immediate Patch
AI Analysis

Impact

A crafted ZIP file used during media archive import can contain filenames with directory‑traversal sequences such as "../../etc/passwd". When extracted, these entries resolve to paths outside the temporary extraction directory, permitting the attacker to create or overwrite any file accessible to the server process. This leads to compromise of confidentiality, integrity, or availability of the system, classified under CWE‑22.

Affected Systems

The Gramps Web API project (gramps‑project:gramps‑web‑api) is affected in releases from 1.6.0 up to and including 3.11.0. Version 3.11.1 adds validation that rejects any ZIP entry whose resolved real path falls outside the designated temporary directory, aborting the import.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, indicating very high risk. No EPSS data is available, and the issue is not included in CISA KEV. Exploitation requires an authenticated user with owner‑level privileges. The attacker would need to upload a malicious ZIP via the media archive import endpoint; upon extraction, the server writes files outside its intended directory, potentially gaining unprivileged or elevated system access if the server’s file‑system permissions allow it. The lack of a public exploit does not diminish the severity, as the path traversal flaw can be triggered without special conditions beyond ownership rights.

Generated by OpenCVE AI on April 18, 2026 at 08:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Gramps Web API 3.11.1 or newer where ZIP entries are validated against the temporary directory’s resolved real path
  • If an upgrade is not immediately feasible, disable or restrict the media archive import functionality and ensure the temporary directory is confined to a non‑privileged sub‑filesystem or is mounted with restrictive permissions
  • Review owner‑level accounts and revoke those unnecessary, reducing the number of users who can trigger the import operation

Generated by OpenCVE AI on April 18, 2026 at 08:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m5gr-86j6-99jp gramps-webapi: Zip Slip Path Traversal in Media Archive Import
History

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Gramps-project
Gramps-project gramps-web-api
Vendors & Products Gramps-project
Gramps-project gramps-web-api

Fri, 17 Apr 2026 21:30:00 +0000

Type Values Removed Values Added
Description The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. Startig in version 3.11.1, ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import.
Title Gramps Web API has Zip Slip Path Traversal in Media Archive Import
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Gramps-project Gramps-web-api
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T15:48:41.690Z

Reserved: 2026-04-10T17:31:45.787Z

Link: CVE-2026-40258

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-04-17T22:16:32.067

Modified: 2026-04-29T21:04:10.060

Link: CVE-2026-40258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:31Z

Weaknesses