External risk intelligence

Gramps Web API allows attackers to write files on the server

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-40258

An internal attacker with owner-level access to the Gramps Web API could exploit the media import feature to save files to unauthorized areas, allowing them to overwrite critical configurations or inject malicious code. This enables full application compromise and control over the underlying server.

3Halo Surface Signal

Path Traversal

External exposure likelihood

Halo Surface Signal score for CVE-2026-40258

The product is a web application API used for genealogical research. While it is a web-based service and can be hosted on the internet for shared access, it is a niche, often personal or self-hosted tool. It is not typically deployed as a widely exposed public-facing business web application or internet-edge gateway, making broad internet exposure common only in specific private use cases.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the Gramps Web API could allow an authenticated user to write arbitrary files on the server. This is because a crafted ZIP file containing specially named files can bypass security checks during the import of media archives. This could lead to significant system compromise if exploited.

  • Server-side file overwrite risk.
  • Requires authenticated access.
  • Impacts data integrity and availability.

Attack Path

How an attacker could exploit the issue

An authenticated owner-level user can exploit this vulnerability by uploading a specially crafted ZIP archive. This archive would contain files with names designed to traverse directories outside the intended extraction location, allowing them to overwrite or place arbitrary files on the server.

  • Requires authenticated owner privileges.
  • Targets the media archive import.
  • Upload a malicious ZIP archive.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability less appealing due to its requirement for authenticated owner-level privileges and the niche nature of the Gramps Web API, which is often self-hosted for personal use rather than widely exposed internet-facing infrastructure. While it allows for arbitrary file write, the attack chain is more complex than typical unauthenticated vulnerabilities.

  • No public exploit code observed.
  • Not listed as actively exploited.
  • Fix released relatively quickly.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize patching Gramps Web API to version 3.11.1 to address the path traversal vulnerability, which allows authenticated users to write arbitrary files. If immediate patching is not feasible, restrict access to the media archive import feature for owner-level users and monitor for suspicious file creation events.

  • Patch to version 3.11.1.
  • Restrict media import access.
  • Monitor for unauthorized file writes.

Frequently asked questions

What is the Gramps Web API and what versions are affected by CVE-2026-40258?

The Gramps Web API is a Python REST API for genealogical research software. Versions 1.6.0 through 3.11.0 are affected by a path traversal vulnerability.

How does the path traversal vulnerability (Zip Slip) in Gramps Web API work?

An authenticated owner-level user can exploit this by uploading a malicious ZIP file. This file can contain specially named files that traverse directories, allowing arbitrary file writes outside the intended extraction directory on the server.

What is the weakness class associated with CVE-2026-40258?

The weakness class associated with this vulnerability is CWE-22, which relates to improper limitation of a pathname to a restricted directory or a component of a pathname.

What is the relevance of CVE-2026-40258, considering its exploitation potential?

The relevance of this vulnerability is moderate because it requires authenticated owner-level privileges and targets the niche Gramps Web API, which is often self-hosted. While it allows arbitrary file writes, the attack complexity is higher than for unauthenticated vulnerabilities.

What steps should be taken to address the Gramps Web API vulnerability?

It is recommended to update the Gramps Web API to version 3.11.1, which includes a fix for the path traversal vulnerability. If immediate patching is not possible, restrict access to the media archive import feature and monitor for suspicious file activity.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified