CVE-2026-39355

Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users’ team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1.

CVSS v3 9.9 CRITICAL

9.9^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.1 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4	Exploit Vendor Advisory
https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*

History

10 Apr 2026, 19:03

Type	Values Removed	Values Added
CPE		cpe:2.3:a:kreaweb:genealogy::::::::
First Time		Kreaweb Kreaweb genealogy
References	~~() https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4 -~~	() https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4 - Exploit, Vendor Advisory

08 Apr 2026, 19:25

Type	Values Removed	Values Added
References	~~() https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4 -~~	() https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4 -

07 Apr 2026, 19:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-07 19:16

Updated : 2026-04-10 19:03

NVD link : CVE-2026-39355

Mitre link : CVE-2026-39355

CVE.ORG link : CVE-2026-39355

JSON object : View

Products Affected

kreaweb

genealogy

CWE

CWE-862

Missing Authorization

{"id": "CVE-2026-39355", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.9, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-04-07T19:16:46.523", "references": [{"url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MGeurts/genealogy/security/advisories/GHSA-2rq7-jqm7-w8x4", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-862"}]}], "descriptions": [{"lang": "en", "value": "Genealogy is a family tree PHP application. Prior to 5.9.1, a critical broken access control vulnerability in the genealogy application allows any authenticated user to transfer ownership of arbitrary non-personal teams to themselves. This enables complete takeover of other users\u2019 team workspaces and unrestricted access to all genealogy data associated with the compromised team. This vulnerability is fixed in 5.9.1."}], "lastModified": "2026-04-10T19:03:43.350", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:kreaweb:genealogy:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9493DF66-D714-40BF-B9E9-C861AD3DE26F", "versionEndExcluding": "5.9.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}