CVE-2026-40258

Name of the Vulnerable Software and Affected Versions gramps-webapi (affected versions not specified)

Description A path traversal vulnerability (Zip Slip) exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. The vulnerability resides in MediaImporter. check disk space and extract() in gramps webapi/api/media importer.py, where zipfile.extractall() is called without validating ZIP entry names. Python's zipfile module does not sanitize entry names containing ../ sequences, allowing extraction to paths outside the target directory. The impact depends on the deployment configuration. In a standard docker-based deployment with an SQLite family tree and local media, an attacker can overwrite another tree's database file or media files, leading to cross-tree data corruption or replacement. With a Postgres family tree and S3 media, the risk is limited to overwriting volume-mounted files such as the application config file. In a Postgres family tree with S3 media and environment-variable-only config, the impact is limited to writes to ephemeral container storage.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.