CVE-2026-40258: gramps-webapi: Zip Slip Path Traversal in Media Archive Import
(updated )
A path traversal vulnerability (Zip Slip) exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server’s local filesystem.
References
- github.com/advisories/GHSA-m5gr-86j6-99jp
- github.com/gramps-project/gramps-web-api
- github.com/gramps-project/gramps-web-api/commit/3ed4342711e3ec849552df09b1fe2fbf2ca5c29a
- github.com/gramps-project/gramps-web-api/releases/tag/v3.11.1
- github.com/gramps-project/gramps-web-api/security/advisories/GHSA-m5gr-86j6-99jp
- nvd.nist.gov/vuln/detail/CVE-2026-40258
Code Behaviors & Features
Detect and mitigate CVE-2026-40258 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →