CVE-2026-40258 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 17, 2026
Gramps Web API - Path Traversal
Overview
Gramps Web API 1.6.0 through 3.11.0 contains a path traversal vulnerability caused by improper validation of ZIP entry names in the media archive import feature, letting authenticated owner-level users write arbitrary files outside the intended directory.
Severity & Score
Impact
Authenticated owner-level users can write arbitrary files outside intended directories, potentially leading to system compromise or data tampering.
Mitigation
Update to version 3.11.1 or later.
References
Social Media Activity(2 posts)
🚨 CVE-2026-40258: CRITICAL path traversal in gramps-web-api (1.6.0-3.11.0). Owner-level users can write files outside intended dirs via crafted ZIPs. Upgrade to 3.11.1+ to mitigate! https://radar.offseq.com/threat/cve-2026-40258-cwe-22-improper-limitation-of-a-pat-00f841f8 #OffSeq #CVE202640258 #PathTraversal #Infosec
View original post
🚨 CVE-2026-40258: CRITICAL path traversal in gramps-web-api (1.6.0-3.11.0). Owner-level users can write files outside intended dirs via crafted ZIPs. Upgrade to 3.11.1+ to mitigate! https://radar.offseq.com/threat/cve-2026-40258-cwe-22-improper-limitation-of-a-pat-00f841f8 #OffSeq #CVE202640258 #PathTraversal #Infosec
View original postRelated Resources
Details
- CVE ID
- CVE-2026-40258
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- path_traversal
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H