The Gramps Web API, a Python REST API for genealogical research software, contains a path traversal vulnerability (Zip Slip) in versions 1.6.0 through 3.11.0. The vulnerability exists in the media archive import feature where authenticated users with owner-level privileges can craft malicious ZIP files with directory-traversal filenames. This allows attackers to write arbitrary files outside the intended temporary extraction directory on the server's local filesystem. The issue has been patched in version 3.11.1 by implementing validation of ZIP entry names against the resolved real path of the temporary directory before extraction.