CVE-2026-40258
Published: 17 April 2026
Summary
CVE-2026-40258 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the path traversal by requiring validation of ZIP entry names against the temporary directory path before extraction.
Mandates timely flaw remediation, such as patching to version 3.11.1, to correct the improper ZIP handling vulnerability.
Enforces logical access controls to restrict file write operations to the intended temporary directory, preventing arbitrary filesystem writes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The path traversal vulnerability in the public-facing Gramps Web API enables exploitation of public-facing applications (T1190) via the media archive import endpoint and facilitates exploitation for privilege escalation (T1068) through arbitrary file writes that can overwrite critical files.
NVD Description
The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level privileges can craft…
more
a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. Startig in version 3.11.1, ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import.
Deeper analysisAI
CVE-2026-40258 is a path traversal vulnerability, commonly known as Zip Slip, in the media archive import feature of the Gramps Web API, a Python REST API for the genealogical research software Gramps. The issue affects versions 1.6.0 through 3.11.0, where malicious ZIP files can exploit directory-traversal filenames to write files outside the intended temporary extraction directory on the server's local filesystem. It is rated with a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and maps to CWE-22.
An authenticated user with owner-level privileges can exploit the vulnerability by crafting and uploading a malicious ZIP file via the media archive import endpoint. Successful exploitation enables arbitrary file writes on the server's filesystem, potentially allowing attackers to overwrite critical files, escalate privileges, or achieve remote code execution, with the scope changing to unchanged (S:C) amplifying the impact across confidentiality, integrity, and availability.
Mitigation is addressed in version 3.11.1 and later, where ZIP entry names are validated against the resolved real path of the temporary directory prior to extraction; any entry resolving outside this directory triggers an error and aborts the import. Security advisories, including the GitHub security advisory GHSA-m5gr-86j6-99jp, the release notes for v3.11.1, and the fixing commit (3ed4342711e3ec849552df09b1fe2fbf2ca5c29a), recommend updating to the patched version immediately.
Details
- CWE(s)