CVE-2026-40258 — AI Deep Analysis Summary

🚨 **Essence**: Path Traversal in Media Archive Import. 💥 **Consequences**: Authenticated users can write arbitrary files to the server's local filesystem via malicious ZIPs. Critical integrity & confidentiality loss.

🛡️ **CWE-22**: Improper Limitation of a Pathname to a Restricted Directory. The flaw lies in how the API handles extracted paths from uploaded ZIP archives without sufficient sanitization.

📦 **Affected**: Gramps Web API. 📅 **Versions**: 1.6.0 through 3.11.0. 🏢 **Vendor**: gramps-project. If you are on v3.11.1 or later, you are safe.

🕵️ **Capabilities**: Write arbitrary files. 📂 **Target**: Local server filesystem. 🔑 **Privilege**: Requires 'Owner' level authentication.…

🔒 **Threshold**: Medium-High. 🆔 **Auth Required**: Yes, must be an authenticated user with 'Owner' privileges. 📤 **Action**: Must upload a crafted ZIP file. Not remote unauthenticated.

🚫 **Public Exp?**: No PoCs listed in the data. 🌐 **Wild Exp**: Unlikely given the high privilege requirement (Owner level). Focus is on defense, not immediate panic.

🔍 **Check**: Review API version. 📂 **Audit**: Check for unexpected files in media import directories. 📝 **Logs**: Monitor for unusual ZIP upload patterns from owner accounts.

✅ **Fixed**: Yes! 🚀 **Patch**: Upgrade to **v3.11.1** or later. 🔗 **Ref**: See GitHub release v3.11.1 and commit 3ed4342 for the fix details.

🛑 **Workaround**: Disable media archive import feature if possible. 🚫 **Access Control**: Restrict 'Owner' privileges strictly.…

⚠️ **Priority**: High for Owners. 📉 **Risk**: CVSS 8.6 (High). While auth is required, the impact (Full Control) is severe. Patch immediately if you have owner-level accounts active.