GHSA-m5gr-86j6-99jp

Source

https://github.com/advisories/GHSA-m5gr-86j6-99jp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m5gr-86j6-99jp/GHSA-m5gr-86j6-99jp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m5gr-86j6-99jp

Aliases

CVE-2026-40258

Published

2026-04-10T21:00:09Z

Modified

2026-04-10T21:32:40Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

gramps-webapi: Zip Slip Path Traversal in Media Archive Import

Details

Summary

A path traversal vulnerability (Zip Slip) exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem.

Details

When importing media archives as ZIP file, MediaImporter._check_disk_space_and_extract() in gramps_webapi/api/media_importer.py called zipfile.extractall() without validating ZIP entry names. Python's zipfile module does not sanitize entry names containing ../ sequences, allowing extraction to paths outside the target directory.

Only users with owner permission can upload media ZIP archives, so the biggest risk is for multi-tree deployments, where tree owners are distinct from server administrators.

For multi-tree deployments, the impact depends on deployment configuration. Assuming the standard docker-based deployment is used:

SQLite family tree + local media: An attacker can overwrite another tree's database file or media files, leading to cross-tree data corruption or replacement.
Postgres family tree + S3 media: No persistent tree data is stored on the local filesystem, so cross-tree impact is eliminated. The remaining risk is overwriting volume-mounted files such as the application config file.
Postgres family tree + S3 media + environment-variable-only config: No persistent files of value are present on the local filesystem. Impact is limited to writes to ephemeral container storage, which are lost on woker restart.

Fix

ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import.

Database specific

{
    "nvd_published_at": null,
    "severity": "CRITICAL",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-22"
    ],
    "github_reviewed_at": "2026-04-10T21:00:09Z"
}

References

Affected packages

PyPI / gramps-webapi

Package

Name: gramps-webapi; View open source insights on deps.dev
Purl: pkg:pypi/gramps-webapi

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1.6.0

Fixed

3.11.1

Affected versions

1.*

1.6.0

2.*

2.0.0

2.1.0

2.2.0

2.2.1

2.3.0

2.3.1

2.4.0

2.4.1

2.4.2

2.4.3

2.5.0

2.5.1

2.5.2

2.5.3

2.6.0

2.7.0

2.8.0

2.8.1

2.8.2

2.9.0

2.9.1

2.9.2

3.*

3.0.0

3.0.1

3.0.2

3.1.0

3.2.0

3.3.0

3.4.0

3.4.1

3.5.0

3.6.0

3.7.0

3.7.1

3.8.0

3.9.0

3.9.1

3.10.0

3.11.0

Database specific

last_known_affected_version_range

"<= 3.11.0"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-m5gr-86j6-99jp/GHSA-m5gr-86j6-99jp.json"