Cyber Resilience

CVE-2026-40258

Critical

Published: 17 April 2026

Published
17 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0040 31.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40258 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40258 is a path traversal vulnerability, commonly known as Zip Slip, in the media archive import feature of the Gramps Web API, a Python REST API for the genealogical research software Gramps. The issue affects versions 1.6.0 through 3.11.0, where malicious ZIP files can exploit directory-traversal filenames to write files outside the intended temporary extraction directory on the server's local filesystem. It is rated with a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-22.

An authenticated user with owner-level privileges can exploit the vulnerability by crafting and uploading a malicious ZIP file via the media archive import endpoint. Successful exploitation enables arbitrary file writes on the server's filesystem, potentially allowing attackers to overwrite critical files, escalate privileges, or achieve remote code execution, with the scope changing to unchanged (S:C) amplifying the impact across confidentiality, integrity, and availability.

Mitigation is addressed in version 3.11.1 and later, where ZIP entry names are validated against the resolved real path of the temporary directory prior to extraction; any entry resolving outside this directory triggers an error and aborts the import. Security advisories, including the GitHub security advisory GHSA-m5gr-86j6-99jp, the release notes for v3.11.1, and the fixing commit (3ed4342711e3ec849552df09b1fe2fbf2ca5c29a), recommend updating to the patched version immediately.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft…

more

a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. Startig in version 3.11.1, ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The path traversal vulnerability in the public-facing Gramps Web API enables exploitation of public-facing applications (T1190) via the media archive import endpoint and facilitates exploitation for privilege escalation (T1068) through arbitrary file writes that can overwrite critical files.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-41757Shared CWE-22
CVE-2025-12422Shared CWE-22
CVE-2025-62630Shared CWE-22
CVE-2026-4858Shared CWE-22
CVE-2026-32727Shared CWE-22
CVE-2024-38292Shared CWE-22
CVE-2026-21227Shared CWE-22
CVE-2026-42520Shared CWE-22
CVE-2026-1311Shared CWE-22
CVE-2025-22130Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the path traversal by requiring validation of ZIP entry names against the temporary directory path before extraction.

prevent

Mandates timely flaw remediation, such as patching to version 3.11.1, to correct the improper ZIP handling vulnerability.

prevent

Enforces logical access controls to restrict file write operations to the intended temporary directory, preventing arbitrary filesystem writes.

References