What is CVE-2026-40258?

CVE-2026-40258 is a critical-severity vulnerability in Gramps-project Gramps-web-api, classified under Path Traversal. CVSS score: 9.1/10. Published 2026-04-17.

How severe is CVE-2026-40258?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Path Traversal in Gramps-project Gramps-web-api

CVE-2026-40258

The Gramps Web API is a Python REST API for the genealogical research software Gramps. Versions 1.6.0 through 3.11.0 have a path traversal vulnerability (Zip Slip) in the media archive import feature. An authenticated user with owner-level…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.001 (22.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H.

Affected products

Gramps-project Gramps-web-api — versions >= 1.6.0, < 3.11.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/gramps-project/gramps-web-api/security/advisories/GHSA-m5gr-86j6-99jp (x_refsource_CONFIRM)
https://github.com/gramps-project/gramps-web-api/commit/3ed4342711e3ec849552df09b1fe2fbf2ca5c29a (x_refsource_MISC)
https://github.com/gramps-project/gramps-web-api/releases/tag/v3.11.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-40258?: CVE-2026-40258 is a critical-severity vulnerability in Gramps-project Gramps-web-api, classified under Path Traversal. CVSS score: 9.1/10. Published 2026-04-17.
How severe is CVE-2026-40258?: Critical severity. CVSS v3 base score is 9.1 out of 10.