Skip to main content

PostgreSQL CVE-2026-40258

CRITICAL
Path Traversal (CWE-22)
2026-04-10 https://github.com/gramps-project/gramps-web-api GHSA-m5gr-86j6-99jp
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Re-analysis Queued
Apr 17, 2026 - 22:22 vuln.today
cvss_changed
Analysis Generated
Apr 10, 2026 - 21:45 vuln.today
Patch released
Apr 10, 2026 - 21:45 nvd
Patch available
CVE Published
Apr 10, 2026 - 21:00 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Summary

A path traversal vulnerability (Zip Slip) exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem.

Details

When importing media archives as ZIP file, MediaImporter._check_disk_space_and_extract() in gramps_webapi/api/media_importer.py called zipfile.extractall() without validating ZIP entry names. Python's zipfile module does not sanitize entry names containing ../ sequences, allowing extraction to paths outside the target directory.

Only users with owner permission can upload media ZIP archives, so the biggest risk is for multi-tree deployments, where tree owners are distinct from server administrators.

For multi-tree deployments, the impact depends on deployment configuration. Assuming the standard docker-based deployment is used:

  • SQLite family tree + local media: An attacker can overwrite another tree's database file or media files, leading to cross-tree data corruption or replacement.
  • Postgres family tree + S3 media: No persistent tree data is stored on the local filesystem, so cross-tree impact is eliminated. The remaining risk is overwriting volume-mounted files such as the application config file.
  • Postgres family tree + S3 media + environment-variable-only config: No persistent files of value are present on the local filesystem. Impact is limited to writes to ephemeral container storage, which are lost on woker restart.

Fix

ZIP entry names are now validated against the resolved real path of the temporary directory before extraction. Any entry whose resolved path falls outside the temporary directory raises an error and aborts the import.

AnalysisAI

Path traversal (Zip Slip) in gramps-web-api media archive import allows authenticated owner-privileged users to write arbitrary files outside intended directories via malicious ZIP archives. Exploitation requires owner-level access and enables cross-tree data corruption in multi-tree SQLite deployments or config file overwrite in volume-mounted configurations. Postgres+S3 deployments limit impact to ephemeral container storage. No public exploit identified at time of analysis.

Technical ContextAI

Unsafe use of Python zipfile.extractall() in MediaImporter._check_disk_space_and_extract() function fails to sanitize ZIP entry names containing ../ directory traversal sequences. CWE-22 path traversal permits extraction to arbitrary filesystem locations resolved relative to extraction directory. Fix validates ZIP entry resolved real paths against temporary directory boundaries before extraction.

RemediationAI

Vendor-released patch: upgrade to gramps-webapi version 3.11.1 or later, which implements path validation preventing directory traversal during ZIP extraction. Install via pip: pip install --upgrade gramps-webapi>=3.11.1. For environments unable to upgrade immediately, restrict owner-level permissions to trusted administrators only and audit existing media archive imports for unexpected filesystem modifications. Multi-tree deployments should migrate to Postgres+S3 storage backends to eliminate persistent local filesystem attack surface. Consult vendor advisory at https://github.com/gramps-project/gramps-web-api/security/advisories/GHSA-m5gr-86j6-99jp and review patch implementation at https://github.com/gramps-project/gramps-web-api/commit/3ed4342711e3ec849552df09b1fe2fbf2ca5c29a for technical details.

CVE-2025-1094 HIGH POC
8.1 Feb 13

PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() improperl

CVE-2024-55964 CRITICAL POC
9.8 Mar 26

An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl

CVE-2013-1899 MEDIUM POC
6.5 Apr 04

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows re

CVE-2026-20253 CRITICAL POC
9.8 Jun 10

Unauthenticated arbitrary file write in Splunk Enterprise (below 10.2.4 and 10.0.7) and Splunk Cloud Platform (below 10.

CVE-2017-7546 CRITICAL
9.8 Aug 16

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allow

CVE-2015-1352 MEDIUM POC
5.0 Mar 30

The build_tablename function in pgsql.c in the PostgreSQL (aka pgsql) extension in PHP through 5.6.7 does not validate t

CVE-2024-10553 CRITICAL POC
9.8 Mar 20

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitra

CVE-2019-9193 HIGH POC
7.2 Apr 01

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_serve

CVE-2026-40887 CRITICAL POC
9.1 Apr 14

## Summary An unauthenticated SQL injection vulnerability exists in the Vendure Shop API. A user-controlled query strin

CVE-2022-24760 CRITICAL POC
10.0 Mar 12

Parse Server is an open source http web server backend. Rated critical severity (CVSS 10.0), this vulnerability is remot

CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2024-12909 CRITICAL POC
9.8 Mar 20

A vulnerability in the FinanceChatLlamaPack of the run-llama/llama_index repository, versions up to v0.12.3, allows for

Share

CVE-2026-40258 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy